Analysis

  • max time kernel
    1043s
  • max time network
    1047s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-06-2024 21:51

General

  • Target

    Loader.exe

  • Size

    409KB

  • MD5

    808d880b4fc7f865fb607337690b5575

  • SHA1

    7782ec3da7a6f8ed196d4431c59d50690580ac39

  • SHA256

    90a58064c6df293fc564fa5b616c737f6fd31f6288433da2030ec56d6dc46962

  • SHA512

    7a7ee833835d9469a1a5b48a5cbf9c902f362d82ad37b2ba99944e692b4322c140d770dc7be30f8ace7b84d6508e4d2e5f2007294ca3c07094bbfca8120ec6a8

  • SSDEEP

    12288:KpsD64e1Muxkk3abqow6dL+32oJN/nSjCt1hw:OsG4kMUQU6E3NN/nk

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

feel-barcelona.gl.at.ply.gg:47655

Mutex

$Sxr-GV6wZsGZZMeZ3qfenc

Attributes
  • encryption_key

    OyypB9RDbCUrmPK8uTim

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Defender Anti-Malware Disable Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 1 IoCs
  • Checks computer location settings 2 TTPs 48 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 45 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 48 IoCs
  • Runs ping.exe 1 TTPs 48 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 48 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4500
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4404
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGci9aisTcue.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5060
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:1664
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          3⤵
          • Runs ping.exe
          PID:3264
        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
          3⤵
          • Checks computer location settings
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1040
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1884
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FBobXFTs1JH3.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4988
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
                PID:4604
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 10 localhost
                5⤵
                • Runs ping.exe
                PID:4044
              • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                5⤵
                • Checks computer location settings
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4428
                • C:\Windows\SysWOW64\schtasks.exe
                  "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                  6⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:1532
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YvaM3dzYIf8g.bat" "
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4352
                  • C:\Windows\SysWOW64\chcp.com
                    chcp 65001
                    7⤵
                      PID:684
                    • C:\Windows\SysWOW64\PING.EXE
                      ping -n 10 localhost
                      7⤵
                      • Runs ping.exe
                      PID:2076
                    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                      7⤵
                      • Checks computer location settings
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of SetWindowsHookEx
                      • Suspicious use of WriteProcessMemory
                      PID:3936
                      • C:\Windows\SysWOW64\schtasks.exe
                        "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                        8⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:2304
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NW9vsXkGJSbf.bat" "
                        8⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4824
                        • C:\Windows\SysWOW64\chcp.com
                          chcp 65001
                          9⤵
                            PID:3028
                          • C:\Windows\SysWOW64\PING.EXE
                            ping -n 10 localhost
                            9⤵
                            • Runs ping.exe
                            PID:3328
                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                            9⤵
                            • Checks computer location settings
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of SetWindowsHookEx
                            • Suspicious use of WriteProcessMemory
                            PID:3200
                            • C:\Windows\SysWOW64\schtasks.exe
                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                              10⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:2932
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TX0FiJRUuTMF.bat" "
                              10⤵
                                PID:2188
                                • C:\Windows\SysWOW64\chcp.com
                                  chcp 65001
                                  11⤵
                                    PID:3984
                                  • C:\Windows\SysWOW64\PING.EXE
                                    ping -n 10 localhost
                                    11⤵
                                    • Runs ping.exe
                                    PID:4984
                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                    11⤵
                                    • Checks computer location settings
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of SetWindowsHookEx
                                    PID:4312
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                      12⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:3568
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sriuu7QuOuq1.bat" "
                                      12⤵
                                        PID:4572
                                        • C:\Windows\SysWOW64\chcp.com
                                          chcp 65001
                                          13⤵
                                            PID:460
                                          • C:\Windows\SysWOW64\PING.EXE
                                            ping -n 10 localhost
                                            13⤵
                                            • Runs ping.exe
                                            PID:4552
                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                            13⤵
                                            • Checks computer location settings
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of SetWindowsHookEx
                                            PID:4584
                                            • C:\Windows\SysWOW64\schtasks.exe
                                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                              14⤵
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1972
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oT8nYospzh4b.bat" "
                                              14⤵
                                                PID:1960
                                                • C:\Windows\SysWOW64\chcp.com
                                                  chcp 65001
                                                  15⤵
                                                    PID:4848
                                                  • C:\Windows\SysWOW64\PING.EXE
                                                    ping -n 10 localhost
                                                    15⤵
                                                    • Runs ping.exe
                                                    PID:1796
                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                    15⤵
                                                    • Checks computer location settings
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:4200
                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                      16⤵
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1212
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LRH25xKBWgUL.bat" "
                                                      16⤵
                                                        PID:3684
                                                        • C:\Windows\SysWOW64\chcp.com
                                                          chcp 65001
                                                          17⤵
                                                            PID:3232
                                                          • C:\Windows\SysWOW64\PING.EXE
                                                            ping -n 10 localhost
                                                            17⤵
                                                            • Runs ping.exe
                                                            PID:2384
                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                            17⤵
                                                            • Checks computer location settings
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:2916
                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                              18⤵
                                                              • Scheduled Task/Job: Scheduled Task
                                                              PID:396
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiGrO8cV5m6a.bat" "
                                                              18⤵
                                                                PID:3624
                                                                • C:\Windows\SysWOW64\chcp.com
                                                                  chcp 65001
                                                                  19⤵
                                                                    PID:1988
                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                    ping -n 10 localhost
                                                                    19⤵
                                                                    • Runs ping.exe
                                                                    PID:2976
                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                    19⤵
                                                                    • Checks computer location settings
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    • Suspicious use of SetWindowsHookEx
                                                                    PID:2372
                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                      20⤵
                                                                      • Scheduled Task/Job: Scheduled Task
                                                                      PID:4424
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x6i2T9ygz6Gx.bat" "
                                                                      20⤵
                                                                        PID:1200
                                                                        • C:\Windows\SysWOW64\chcp.com
                                                                          chcp 65001
                                                                          21⤵
                                                                            PID:60
                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                            ping -n 10 localhost
                                                                            21⤵
                                                                            • Runs ping.exe
                                                                            PID:3764
                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                            21⤵
                                                                            • Checks computer location settings
                                                                            • Adds Run key to start application
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            PID:3216
                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                              22⤵
                                                                              • Scheduled Task/Job: Scheduled Task
                                                                              PID:3568
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qrEswbB7h5AM.bat" "
                                                                              22⤵
                                                                                PID:4972
                                                                                • C:\Windows\SysWOW64\chcp.com
                                                                                  chcp 65001
                                                                                  23⤵
                                                                                    PID:392
                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                    ping -n 10 localhost
                                                                                    23⤵
                                                                                    • Runs ping.exe
                                                                                    PID:2968
                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                    23⤵
                                                                                    • Checks computer location settings
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    PID:1808
                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                      24⤵
                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                      PID:4664
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eR1I1nIPHH07.bat" "
                                                                                      24⤵
                                                                                        PID:2812
                                                                                        • C:\Windows\SysWOW64\chcp.com
                                                                                          chcp 65001
                                                                                          25⤵
                                                                                            PID:3272
                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                            ping -n 10 localhost
                                                                                            25⤵
                                                                                            • Runs ping.exe
                                                                                            PID:4588
                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                            25⤵
                                                                                            • Checks computer location settings
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                            PID:3180
                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                              26⤵
                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                              PID:4964
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSvNRaTrjbHO.bat" "
                                                                                              26⤵
                                                                                                PID:4288
                                                                                                • C:\Windows\SysWOW64\chcp.com
                                                                                                  chcp 65001
                                                                                                  27⤵
                                                                                                    PID:3668
                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                    ping -n 10 localhost
                                                                                                    27⤵
                                                                                                    • Runs ping.exe
                                                                                                    PID:4884
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                    27⤵
                                                                                                    • Checks computer location settings
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                    PID:2136
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                      28⤵
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:5076
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQ5cykvDGbg8.bat" "
                                                                                                      28⤵
                                                                                                        PID:2540
                                                                                                        • C:\Windows\SysWOW64\chcp.com
                                                                                                          chcp 65001
                                                                                                          29⤵
                                                                                                            PID:2336
                                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                                            ping -n 10 localhost
                                                                                                            29⤵
                                                                                                            • Runs ping.exe
                                                                                                            PID:4980
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                            29⤵
                                                                                                            • Checks computer location settings
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                            PID:2304
                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                              30⤵
                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                              PID:1940
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dv19qaJGWANb.bat" "
                                                                                                              30⤵
                                                                                                                PID:1096
                                                                                                                • C:\Windows\SysWOW64\chcp.com
                                                                                                                  chcp 65001
                                                                                                                  31⤵
                                                                                                                    PID:4232
                                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                                    ping -n 10 localhost
                                                                                                                    31⤵
                                                                                                                    • Runs ping.exe
                                                                                                                    PID:4076
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                    31⤵
                                                                                                                    • Checks computer location settings
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                    PID:3744
                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                      32⤵
                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                      PID:5108
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQxgiRiKmi44.bat" "
                                                                                                                      32⤵
                                                                                                                        PID:4940
                                                                                                                        • C:\Windows\SysWOW64\chcp.com
                                                                                                                          chcp 65001
                                                                                                                          33⤵
                                                                                                                            PID:5012
                                                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                                                            ping -n 10 localhost
                                                                                                                            33⤵
                                                                                                                            • Runs ping.exe
                                                                                                                            PID:2200
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                            33⤵
                                                                                                                            • Checks computer location settings
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                            PID:1656
                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                              34⤵
                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                              PID:528
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYK7v4vdaIsR.bat" "
                                                                                                                              34⤵
                                                                                                                                PID:4420
                                                                                                                                • C:\Windows\SysWOW64\chcp.com
                                                                                                                                  chcp 65001
                                                                                                                                  35⤵
                                                                                                                                    PID:3472
                                                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                    ping -n 10 localhost
                                                                                                                                    35⤵
                                                                                                                                    • Runs ping.exe
                                                                                                                                    PID:3540
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                    35⤵
                                                                                                                                    • Checks computer location settings
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                    PID:2748
                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                      36⤵
                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                      PID:4848
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGPbZqG72WwD.bat" "
                                                                                                                                      36⤵
                                                                                                                                        PID:4092
                                                                                                                                        • C:\Windows\SysWOW64\chcp.com
                                                                                                                                          chcp 65001
                                                                                                                                          37⤵
                                                                                                                                            PID:4012
                                                                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                            ping -n 10 localhost
                                                                                                                                            37⤵
                                                                                                                                            • Runs ping.exe
                                                                                                                                            PID:1388
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                            37⤵
                                                                                                                                            • Checks computer location settings
                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                            PID:2812
                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                              38⤵
                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                              PID:3552
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WxgNQsRHxwJ5.bat" "
                                                                                                                                              38⤵
                                                                                                                                                PID:3232
                                                                                                                                                • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                  chcp 65001
                                                                                                                                                  39⤵
                                                                                                                                                    PID:3560
                                                                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                    ping -n 10 localhost
                                                                                                                                                    39⤵
                                                                                                                                                    • Runs ping.exe
                                                                                                                                                    PID:3944
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                    39⤵
                                                                                                                                                    • Checks computer location settings
                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                    PID:4572
                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                      40⤵
                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                      PID:3684
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEfCj2jbV2vK.bat" "
                                                                                                                                                      40⤵
                                                                                                                                                        PID:2736
                                                                                                                                                        • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                          chcp 65001
                                                                                                                                                          41⤵
                                                                                                                                                            PID:1768
                                                                                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                            ping -n 10 localhost
                                                                                                                                                            41⤵
                                                                                                                                                            • Runs ping.exe
                                                                                                                                                            PID:4828
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                            41⤵
                                                                                                                                                            • Checks computer location settings
                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                            PID:4116
                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                              42⤵
                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                              PID:2020
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSiFwlpTA2Zu.bat" "
                                                                                                                                                              42⤵
                                                                                                                                                                PID:3204
                                                                                                                                                                • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                  chcp 65001
                                                                                                                                                                  43⤵
                                                                                                                                                                    PID:4264
                                                                                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                    ping -n 10 localhost
                                                                                                                                                                    43⤵
                                                                                                                                                                    • Runs ping.exe
                                                                                                                                                                    PID:2916
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                    43⤵
                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                    PID:436
                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                      44⤵
                                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                      PID:4984
                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1AnkaXAxbGdg.bat" "
                                                                                                                                                                      44⤵
                                                                                                                                                                        PID:3692
                                                                                                                                                                        • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                          chcp 65001
                                                                                                                                                                          45⤵
                                                                                                                                                                            PID:3744
                                                                                                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                            ping -n 10 localhost
                                                                                                                                                                            45⤵
                                                                                                                                                                            • Runs ping.exe
                                                                                                                                                                            PID:2200
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                            45⤵
                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                            PID:3492
                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                              46⤵
                                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                              PID:1472
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSZJfScaf9xq.bat" "
                                                                                                                                                                              46⤵
                                                                                                                                                                                PID:1688
                                                                                                                                                                                • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                  chcp 65001
                                                                                                                                                                                  47⤵
                                                                                                                                                                                    PID:4908
                                                                                                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                    ping -n 10 localhost
                                                                                                                                                                                    47⤵
                                                                                                                                                                                    • Runs ping.exe
                                                                                                                                                                                    PID:764
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                    47⤵
                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                    PID:4476
                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                      48⤵
                                                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                      PID:4812
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\41NikejsFLmb.bat" "
                                                                                                                                                                                      48⤵
                                                                                                                                                                                        PID:1592
                                                                                                                                                                                        • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                          chcp 65001
                                                                                                                                                                                          49⤵
                                                                                                                                                                                            PID:1712
                                                                                                                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                            ping -n 10 localhost
                                                                                                                                                                                            49⤵
                                                                                                                                                                                            • Runs ping.exe
                                                                                                                                                                                            PID:1916
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                            49⤵
                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                            PID:5020
                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                              50⤵
                                                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                              PID:3976
                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FlGxBAEgCNXH.bat" "
                                                                                                                                                                                              50⤵
                                                                                                                                                                                                PID:1980
                                                                                                                                                                                                • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                  chcp 65001
                                                                                                                                                                                                  51⤵
                                                                                                                                                                                                    PID:1852
                                                                                                                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                    ping -n 10 localhost
                                                                                                                                                                                                    51⤵
                                                                                                                                                                                                    • Runs ping.exe
                                                                                                                                                                                                    PID:3436
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                    51⤵
                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                    PID:1276
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                                      52⤵
                                                                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                      PID:2428
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PxVGb8BEKZUx.bat" "
                                                                                                                                                                                                      52⤵
                                                                                                                                                                                                        PID:5076
                                                                                                                                                                                                        • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                          chcp 65001
                                                                                                                                                                                                          53⤵
                                                                                                                                                                                                            PID:2864
                                                                                                                                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                            ping -n 10 localhost
                                                                                                                                                                                                            53⤵
                                                                                                                                                                                                            • Runs ping.exe
                                                                                                                                                                                                            PID:2720
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                            53⤵
                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                            PID:2360
                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                                              54⤵
                                                                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                              PID:2592
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMlBTtgjkhLD.bat" "
                                                                                                                                                                                                              54⤵
                                                                                                                                                                                                                PID:4596
                                                                                                                                                                                                                • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                                  chcp 65001
                                                                                                                                                                                                                  55⤵
                                                                                                                                                                                                                    PID:400
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                    ping -n 10 localhost
                                                                                                                                                                                                                    55⤵
                                                                                                                                                                                                                    • Runs ping.exe
                                                                                                                                                                                                                    PID:4464
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                    55⤵
                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                    PID:4052
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                                                      56⤵
                                                                                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                      PID:704
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAWI7lul1NFB.bat" "
                                                                                                                                                                                                                      56⤵
                                                                                                                                                                                                                        PID:888
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                                          chcp 65001
                                                                                                                                                                                                                          57⤵
                                                                                                                                                                                                                            PID:1452
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                            ping -n 10 localhost
                                                                                                                                                                                                                            57⤵
                                                                                                                                                                                                                            • Runs ping.exe
                                                                                                                                                                                                                            PID:3832
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                            57⤵
                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                            PID:3744
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                                                              58⤵
                                                                                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                              PID:1720
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYyTCmFxvhPX.bat" "
                                                                                                                                                                                                                              58⤵
                                                                                                                                                                                                                                PID:3692
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                                                  chcp 65001
                                                                                                                                                                                                                                  59⤵
                                                                                                                                                                                                                                    PID:1472
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                    ping -n 10 localhost
                                                                                                                                                                                                                                    59⤵
                                                                                                                                                                                                                                    • Runs ping.exe
                                                                                                                                                                                                                                    PID:2708
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                    59⤵
                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                    PID:5024
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                                                                      60⤵
                                                                                                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                      PID:1992
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lo8ZiCNxyyKt.bat" "
                                                                                                                                                                                                                                      60⤵
                                                                                                                                                                                                                                        PID:1908
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                                                          chcp 65001
                                                                                                                                                                                                                                          61⤵
                                                                                                                                                                                                                                            PID:2112
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                            ping -n 10 localhost
                                                                                                                                                                                                                                            61⤵
                                                                                                                                                                                                                                            • Runs ping.exe
                                                                                                                                                                                                                                            PID:4848
                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                            61⤵
                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                            PID:2740
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                                                                              62⤵
                                                                                                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                              PID:5000
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCakoDi9sIUF.bat" "
                                                                                                                                                                                                                                              62⤵
                                                                                                                                                                                                                                                PID:448
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                                                                  chcp 65001
                                                                                                                                                                                                                                                  63⤵
                                                                                                                                                                                                                                                    PID:4020
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                    ping -n 10 localhost
                                                                                                                                                                                                                                                    63⤵
                                                                                                                                                                                                                                                    • Runs ping.exe
                                                                                                                                                                                                                                                    PID:2024
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                    63⤵
                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                    PID:4856
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                                                                                      64⤵
                                                                                                                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                      PID:1608
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V0LrS5wB9xNE.bat" "
                                                                                                                                                                                                                                                      64⤵
                                                                                                                                                                                                                                                        PID:4588
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                                                                          chcp 65001
                                                                                                                                                                                                                                                          65⤵
                                                                                                                                                                                                                                                            PID:3216
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                            ping -n 10 localhost
                                                                                                                                                                                                                                                            65⤵
                                                                                                                                                                                                                                                            • Runs ping.exe
                                                                                                                                                                                                                                                            PID:4992
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                            65⤵
                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                            PID:4900
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                                                                                              66⤵
                                                                                                                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                              PID:2328
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EW576fVYvKla.bat" "
                                                                                                                                                                                                                                                              66⤵
                                                                                                                                                                                                                                                                PID:4420
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                                                                                  chcp 65001
                                                                                                                                                                                                                                                                  67⤵
                                                                                                                                                                                                                                                                    PID:2664
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                    ping -n 10 localhost
                                                                                                                                                                                                                                                                    67⤵
                                                                                                                                                                                                                                                                    • Runs ping.exe
                                                                                                                                                                                                                                                                    PID:1768
                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                    67⤵
                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                    PID:1664
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                                                                                                      68⤵
                                                                                                                                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                      PID:1444
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hPh7xsSpWcor.bat" "
                                                                                                                                                                                                                                                                      68⤵
                                                                                                                                                                                                                                                                        PID:4124
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                                                                                          chcp 65001
                                                                                                                                                                                                                                                                          69⤵
                                                                                                                                                                                                                                                                            PID:2548
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                            ping -n 10 localhost
                                                                                                                                                                                                                                                                            69⤵
                                                                                                                                                                                                                                                                            • Runs ping.exe
                                                                                                                                                                                                                                                                            PID:4464
                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                            69⤵
                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                            PID:3236
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                                                                                                              70⤵
                                                                                                                                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                              PID:1772
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jbo43i0uk5Io.bat" "
                                                                                                                                                                                                                                                                              70⤵
                                                                                                                                                                                                                                                                                PID:3020
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                                                                                                  chcp 65001
                                                                                                                                                                                                                                                                                  71⤵
                                                                                                                                                                                                                                                                                    PID:1140
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                    ping -n 10 localhost
                                                                                                                                                                                                                                                                                    71⤵
                                                                                                                                                                                                                                                                                    • Runs ping.exe
                                                                                                                                                                                                                                                                                    PID:4936
                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                    71⤵
                                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                    PID:3632
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                      72⤵
                                                                                                                                                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                      PID:976
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uci9TVBMDPZ5.bat" "
                                                                                                                                                                                                                                                                                      72⤵
                                                                                                                                                                                                                                                                                        PID:548
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                                                                                                          chcp 65001
                                                                                                                                                                                                                                                                                          73⤵
                                                                                                                                                                                                                                                                                            PID:512
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                            ping -n 10 localhost
                                                                                                                                                                                                                                                                                            73⤵
                                                                                                                                                                                                                                                                                            • Runs ping.exe
                                                                                                                                                                                                                                                                                            PID:2068
                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                            73⤵
                                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                            PID:732
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                              74⤵
                                                                                                                                                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                              PID:2952
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juViZQdzHJsF.bat" "
                                                                                                                                                                                                                                                                                              74⤵
                                                                                                                                                                                                                                                                                                PID:3308
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                                                                                                                  chcp 65001
                                                                                                                                                                                                                                                                                                  75⤵
                                                                                                                                                                                                                                                                                                    PID:1120
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                    ping -n 10 localhost
                                                                                                                                                                                                                                                                                                    75⤵
                                                                                                                                                                                                                                                                                                    • Runs ping.exe
                                                                                                                                                                                                                                                                                                    PID:2504
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                    75⤵
                                                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                    PID:1448
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                                      76⤵
                                                                                                                                                                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                      PID:4512
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d0GfCYWg4GIp.bat" "
                                                                                                                                                                                                                                                                                                      76⤵
                                                                                                                                                                                                                                                                                                        PID:1620
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                                                                                                                          chcp 65001
                                                                                                                                                                                                                                                                                                          77⤵
                                                                                                                                                                                                                                                                                                            PID:4012
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                            ping -n 10 localhost
                                                                                                                                                                                                                                                                                                            77⤵
                                                                                                                                                                                                                                                                                                            • Runs ping.exe
                                                                                                                                                                                                                                                                                                            PID:4864
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                            77⤵
                                                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                            PID:3140
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                                              78⤵
                                                                                                                                                                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                              PID:3688
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P5tGVY2txUFf.bat" "
                                                                                                                                                                                                                                                                                                              78⤵
                                                                                                                                                                                                                                                                                                                PID:336
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                                                                                                                                  chcp 65001
                                                                                                                                                                                                                                                                                                                  79⤵
                                                                                                                                                                                                                                                                                                                    PID:3260
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                    ping -n 10 localhost
                                                                                                                                                                                                                                                                                                                    79⤵
                                                                                                                                                                                                                                                                                                                    • Runs ping.exe
                                                                                                                                                                                                                                                                                                                    PID:4988
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                    79⤵
                                                                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                    PID:5020
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                                                      80⤵
                                                                                                                                                                                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                      PID:3600
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCTyvR5tFFM9.bat" "
                                                                                                                                                                                                                                                                                                                      80⤵
                                                                                                                                                                                                                                                                                                                        PID:2560
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                                                                                                                                          chcp 65001
                                                                                                                                                                                                                                                                                                                          81⤵
                                                                                                                                                                                                                                                                                                                            PID:4200
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                            ping -n 10 localhost
                                                                                                                                                                                                                                                                                                                            81⤵
                                                                                                                                                                                                                                                                                                                            • Runs ping.exe
                                                                                                                                                                                                                                                                                                                            PID:2428
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                            81⤵
                                                                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                            PID:1348
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                                                              82⤵
                                                                                                                                                                                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                              PID:3936
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POau1GezUip6.bat" "
                                                                                                                                                                                                                                                                                                                              82⤵
                                                                                                                                                                                                                                                                                                                                PID:4456
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                                                                                                                                                  chcp 65001
                                                                                                                                                                                                                                                                                                                                  83⤵
                                                                                                                                                                                                                                                                                                                                    PID:3328
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                    ping -n 10 localhost
                                                                                                                                                                                                                                                                                                                                    83⤵
                                                                                                                                                                                                                                                                                                                                    • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                    PID:4508
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                    83⤵
                                                                                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                    PID:2276
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                                                                      84⤵
                                                                                                                                                                                                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                      PID:1328
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiIZD4ePx8Kt.bat" "
                                                                                                                                                                                                                                                                                                                                      84⤵
                                                                                                                                                                                                                                                                                                                                        PID:436
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                                                                                                                                                          chcp 65001
                                                                                                                                                                                                                                                                                                                                          85⤵
                                                                                                                                                                                                                                                                                                                                            PID:1084
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                            ping -n 10 localhost
                                                                                                                                                                                                                                                                                                                                            85⤵
                                                                                                                                                                                                                                                                                                                                            • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                            PID:4964
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                            85⤵
                                                                                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                            PID:4216
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                                                                              86⤵
                                                                                                                                                                                                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                              PID:3472
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gJuj50v138qY.bat" "
                                                                                                                                                                                                                                                                                                                                              86⤵
                                                                                                                                                                                                                                                                                                                                                PID:748
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                                                                                                                                                                  chcp 65001
                                                                                                                                                                                                                                                                                                                                                  87⤵
                                                                                                                                                                                                                                                                                                                                                    PID:2388
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                    ping -n 10 localhost
                                                                                                                                                                                                                                                                                                                                                    87⤵
                                                                                                                                                                                                                                                                                                                                                    • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                    PID:4448
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                    87⤵
                                                                                                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                    PID:3476
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                                                                                      88⤵
                                                                                                                                                                                                                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                                      PID:1040
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUDwO6Kmmndb.bat" "
                                                                                                                                                                                                                                                                                                                                                      88⤵
                                                                                                                                                                                                                                                                                                                                                        PID:4812
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                                                                                                                                                                          chcp 65001
                                                                                                                                                                                                                                                                                                                                                          89⤵
                                                                                                                                                                                                                                                                                                                                                            PID:764
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                            ping -n 10 localhost
                                                                                                                                                                                                                                                                                                                                                            89⤵
                                                                                                                                                                                                                                                                                                                                                            • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                            PID:2016
                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                            89⤵
                                                                                                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                            PID:1632
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                                                                                              90⤵
                                                                                                                                                                                                                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                                              PID:3264
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RV61otUEE7us.bat" "
                                                                                                                                                                                                                                                                                                                                                              90⤵
                                                                                                                                                                                                                                                                                                                                                                PID:1848
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                                                                                                                                                                                  chcp 65001
                                                                                                                                                                                                                                                                                                                                                                  91⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:3080
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                                    ping -n 10 localhost
                                                                                                                                                                                                                                                                                                                                                                    91⤵
                                                                                                                                                                                                                                                                                                                                                                    • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                                    PID:4024
                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                    91⤵
                                                                                                                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                    PID:3300
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                                                                                                      92⤵
                                                                                                                                                                                                                                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                                                      PID:3724
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HbYLucAld9Xd.bat" "
                                                                                                                                                                                                                                                                                                                                                                      92⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:3436
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                                                                                                                                                                                          chcp 65001
                                                                                                                                                                                                                                                                                                                                                                          93⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:1852
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                                            ping -n 10 localhost
                                                                                                                                                                                                                                                                                                                                                                            93⤵
                                                                                                                                                                                                                                                                                                                                                                            • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                                            PID:3836
                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                            93⤵
                                                                                                                                                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                            PID:3180
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                              "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                                                                                                              94⤵
                                                                                                                                                                                                                                                                                                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                                                              PID:5048
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IH1NzuBc2mDb.bat" "
                                                                                                                                                                                                                                                                                                                                                                              94⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:4424
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                                                                                                                                                                                                  chcp 65001
                                                                                                                                                                                                                                                                                                                                                                                  95⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:2384
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                                                    ping -n 10 localhost
                                                                                                                                                                                                                                                                                                                                                                                    95⤵
                                                                                                                                                                                                                                                                                                                                                                                    • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                                                    PID:2652
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                    95⤵
                                                                                                                                                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                                                                    PID:3684
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                      "schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                                                                                                                      96⤵
                                                                                                                                                                                                                                                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                                                                                                                                                      PID:880
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AscWqqSE8lkG.bat" "
                                                                                                                                                                                                                                                                                                                                                                                      96⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:632
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                                                                                                                                                                                                          chcp 65001
                                                                                                                                                                                                                                                                                                                                                                                          97⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:1864
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                                                                            ping -n 10 localhost
                                                                                                                                                                                                                                                                                                                                                                                            97⤵
                                                                                                                                                                                                                                                                                                                                                                                            • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                                                                            PID:3196
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1092
                                                                                                                                                                                                                                                                                                                                                                                          96⤵
                                                                                                                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                                                                                                                          PID:3328
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 1708
                                                                                                                                                                                                                                                                                                                                                                                      94⤵
                                                                                                                                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                                                                                                                                      PID:536
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 2248
                                                                                                                                                                                                                                                                                                                                                                                  92⤵
                                                                                                                                                                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                                                                                                                                                                  PID:620
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 1092
                                                                                                                                                                                                                                                                                                                                                                              90⤵
                                                                                                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                                                                                                              PID:4020
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 2232
                                                                                                                                                                                                                                                                                                                                                                          88⤵
                                                                                                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                                                                                                          PID:5056
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 2232
                                                                                                                                                                                                                                                                                                                                                                      86⤵
                                                                                                                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                                                                                                                      PID:4888
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 1092
                                                                                                                                                                                                                                                                                                                                                                  84⤵
                                                                                                                                                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                                                                                                                                                  PID:4052
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 2248
                                                                                                                                                                                                                                                                                                                                                              82⤵
                                                                                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                                                                                              PID:1128
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 2200
                                                                                                                                                                                                                                                                                                                                                          80⤵
                                                                                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                                                                                          PID:2452
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1096
                                                                                                                                                                                                                                                                                                                                                      78⤵
                                                                                                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                                                                                                      PID:4228
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 1712
                                                                                                                                                                                                                                                                                                                                                  76⤵
                                                                                                                                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                                                                                                                                  PID:772
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1096
                                                                                                                                                                                                                                                                                                                                              74⤵
                                                                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                                                                              PID:3040
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1092
                                                                                                                                                                                                                                                                                                                                          72⤵
                                                                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                                                                          PID:1052
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 2248
                                                                                                                                                                                                                                                                                                                                      70⤵
                                                                                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                                                                                      PID:852
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1096
                                                                                                                                                                                                                                                                                                                                  68⤵
                                                                                                                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                                                                                                                  PID:3624
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 2248
                                                                                                                                                                                                                                                                                                                              66⤵
                                                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                                                              PID:1280
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 1720
                                                                                                                                                                                                                                                                                                                          64⤵
                                                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                                                          PID:1488
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 2248
                                                                                                                                                                                                                                                                                                                      62⤵
                                                                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                                                                      PID:4300
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1092
                                                                                                                                                                                                                                                                                                                  60⤵
                                                                                                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                                                                                                  PID:3584
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 2248
                                                                                                                                                                                                                                                                                                              58⤵
                                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                                              PID:1588
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 1096
                                                                                                                                                                                                                                                                                                          56⤵
                                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                                          PID:1772
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 2236
                                                                                                                                                                                                                                                                                                      54⤵
                                                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                                                      PID:1032
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 1092
                                                                                                                                                                                                                                                                                                  52⤵
                                                                                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                                                                                  PID:3600
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 2252
                                                                                                                                                                                                                                                                                              50⤵
                                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                                              PID:5036
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1720
                                                                                                                                                                                                                                                                                          48⤵
                                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                                          PID:3260
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1096
                                                                                                                                                                                                                                                                                      46⤵
                                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                                      PID:3052
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 1708
                                                                                                                                                                                                                                                                                  44⤵
                                                                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                                                                  PID:3556
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1668
                                                                                                                                                                                                                                                                              42⤵
                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                              PID:4844
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1096
                                                                                                                                                                                                                                                                          40⤵
                                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                                          PID:2136
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 2232
                                                                                                                                                                                                                                                                      38⤵
                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                      PID:1036
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 2248
                                                                                                                                                                                                                                                                  36⤵
                                                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                                                  PID:4336
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 1092
                                                                                                                                                                                                                                                              34⤵
                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                              PID:2708
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 2248
                                                                                                                                                                                                                                                          32⤵
                                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                                          PID:4732
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1720
                                                                                                                                                                                                                                                      30⤵
                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                      PID:316
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 2248
                                                                                                                                                                                                                                                  28⤵
                                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                                  PID:2256
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 1092
                                                                                                                                                                                                                                              26⤵
                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                              PID:3496
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 1096
                                                                                                                                                                                                                                          24⤵
                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                          PID:1484
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 1084
                                                                                                                                                                                                                                      22⤵
                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                      PID:4768
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 2252
                                                                                                                                                                                                                                  20⤵
                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                  PID:2684
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1708
                                                                                                                                                                                                                              18⤵
                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                              PID:2208
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 1708
                                                                                                                                                                                                                          16⤵
                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                          PID:3184
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1712
                                                                                                                                                                                                                      14⤵
                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                      PID:3080
                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1092
                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                  PID:5028
                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 1604
                                                                                                                                                                                                              10⤵
                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                              PID:1368
                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 2196
                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                          PID:2808
                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 2196
                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                      PID:2416
                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1644
                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                  PID:956
                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1692
                                                                                                                                                                                              2⤵
                                                                                                                                                                                              • Program crash
                                                                                                                                                                                              PID:1048
                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4500 -ip 4500
                                                                                                                                                                                            1⤵
                                                                                                                                                                                              PID:4512
                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1040 -ip 1040
                                                                                                                                                                                              1⤵
                                                                                                                                                                                                PID:3616
                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4428 -ip 4428
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                  PID:3600
                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3936 -ip 3936
                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                    PID:3860
                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3200 -ip 3200
                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                      PID:1776
                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4312 -ip 4312
                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                        PID:1048
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4584 -ip 4584
                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                          PID:896
                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4200 -ip 4200
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                            PID:3628
                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2916 -ip 2916
                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                              PID:1204
                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2372 -ip 2372
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                PID:4984
                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3216 -ip 3216
                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                  PID:4300
                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1808 -ip 1808
                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                    PID:3584
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3180 -ip 3180
                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                      PID:4856
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2136 -ip 2136
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                        PID:3648
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2304 -ip 2304
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:1028
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3744 -ip 3744
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                            PID:4368
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1656 -ip 1656
                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                              PID:3736
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2748 -ip 2748
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                PID:428
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2812 -ip 2812
                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                  PID:1980
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4572 -ip 4572
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                    PID:3600
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4116 -ip 4116
                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                      PID:3624
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 436 -ip 436
                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                        PID:3860
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3492 -ip 3492
                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                          PID:3848
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4476 -ip 4476
                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                            PID:2272
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5020 -ip 5020
                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                              PID:3560
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1276 -ip 1276
                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                PID:1116
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2360 -ip 2360
                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                  PID:4364
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4052 -ip 4052
                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                    PID:3012
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3744 -ip 3744
                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                      PID:2220
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5024 -ip 5024
                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                        PID:1688
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2740 -ip 2740
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                          PID:5060
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4856 -ip 4856
                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                            PID:1496
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4900 -ip 4900
                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                              PID:1368
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1664 -ip 1664
                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                PID:4572
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3236 -ip 3236
                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                  PID:2656
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3632 -ip 3632
                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                    PID:3852
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 732 -ip 732
                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                      PID:4608
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1448 -ip 1448
                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                        PID:4616
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3140 -ip 3140
                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                          PID:1852
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5020 -ip 5020
                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                            PID:4652
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1348 -ip 1348
                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                              PID:4416
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2276 -ip 2276
                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                PID:1236
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4216 -ip 4216
                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                  PID:4156
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3476 -ip 3476
                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                    PID:3764
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1632 -ip 1632
                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                      PID:4660
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3300 -ip 3300
                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                        PID:3944
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3180 -ip 3180
                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                          PID:2328
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3684 -ip 3684
                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                            PID:816

                                                                                                                                                                                                                                                                                          Network

                                                                                                                                                                                                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                          Replay Monitor

                                                                                                                                                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                                                                                                                                                          Downloads

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1AnkaXAxbGdg.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            b1c216147c028f355c8f54da8a240439

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            8c4fbb896d09b5d677994173e0a8c9bfaca0a6bb

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            f69e6f46e412a66bfc249a1be3e9c97397fb5ab3b101a45124738fdb4870b328

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            cee566e48820dcbd09e1e6582a19c44d7c29dc4b60d62e29e132dcdcd4e3497fb9e8a2ea3edf7aa1490bf448b97b969b8fd17d5975e97950377815ebb3647dfd

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\41NikejsFLmb.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            3f7aaeb27319ede2e954381c0dbb35d2

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            7875aabc096bb3eec685b5990aea82a676a958eb

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            7d90e954df8129ca568830dd8c358cb4b49e7c74c42aecd5151ca2c393dd9eb1

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            479023f3a14efecfadb039a0a72c31440686319af26f367c4ce24e83bce9b654b213f667f30723334a0f8748ac10266d895d99e789e5627dc81cb3b0f8910079

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\BCakoDi9sIUF.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            6b987d3827913e7e98667565e7b0c8a7

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            34bbfaf7b99b53aabcc27f32927f0c1992b6ed8d

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            c552e12ae91a1a567abc5669eed4a9f4ae9bf85700acdc5006f9cd4516ea7fe0

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            b0fff192d9d0f1ee4d9bd295957a893385fac6c1f91e0cb51d5225d60f8f11a3fcbb26ca64c905d53a76295c8621e75cffb1b455e150b77fbbf95c1a21e5d926

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\DAWI7lul1NFB.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            435e0f377967d11e89e9049cd0666730

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            7420dc9f7a75ce1861ea5bd6c90034ecc7b1a4cd

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            9e51a9180e0f13e9cfa4b71eb44bebca7dded45350ae3805a101576ee4bac6bd

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            473f226f24b5318678e45dbb923219ad7961a14bd6759e13721554a00e86ad042aa61b7e49d08061be7c33914d269f096fd53208bbb54cc13c21df705890b451

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\FBobXFTs1JH3.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            c78279bf5dbd62c10cf195dc200215c8

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            f99bb367bbe129fda5148cb597391007350cd8b7

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            7515c21dd6a40dd3e4209bf03e36d4a6fa0775e8ad957d88df33db5d7f165303

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            810e392d2e872d9d374b7d58c2fd6c2e8d1843243c95672c9b0739514d2bfd2656504d8d90d08379dc58e6766233bee6a5a2f2d9ccfb0b7c48d7068dd29589d6

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\FlGxBAEgCNXH.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            1e88989430cd42f44a05d545b8917ecd

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            7cc0826df1a4ef1047f54cfdaa6baf74792a8e89

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            83bf3ab9b886c2df4cd47859e6d396a33ffa54e676219f4fd389000b67a1a8a2

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            6ac428c7d1d1cfb67fb5d3b09ca9464d6790894ea784b23d74847c792b02bf847e96a4ab5987aadcc493c6d20b643c4e902e64805f20eabca7b1c6ec589f120c

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\GSZJfScaf9xq.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            269615fc77292bd2771bb3ced741d92c

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            a9bb30649da8e3c929e9a742812ef1e10a1663b1

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            ce0f1ee3a90251faadf4a9148b1b3a6735ccdabda0e54a98f7e311cc48887576

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            80065040cfedf8d9da398be0a5f3bfce9ee6f1fe667b9cdbb1ba461177887dee4adfd38f94f0d14824e04ae47f157820f37fb83bc44126675653cef4285c306e

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\JQxgiRiKmi44.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            6c70e6fda494ebaaaf15d60a9f2dfb21

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            d4ee40e859abcfbe1d66fc711be4a13be9c75f1f

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            fbb5860fce7260df908874ea57777418a6557a622bb02a36775467e25b4f5ac2

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            80349fe1c14dadc0e0197072f8f98f9284a31cd928c29d8db8888b8586b32900ecfcfaff30bab8b000d5121862643d4d7437767cced04947f6a281f35f1fc1dd

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\KYK7v4vdaIsR.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            733eae6db4af4aa0d9b65730f1dfaed0

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            c3fe25a621ffaf5a7724b3f5c11f3b1a468997ef

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            03ccb66272c1d1e3bd634f8012541b9b0ed6b992b6e42ef2b77fc3b6aaf971b8

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            605b95c207cfa757d9a596c2e292d3c42e241be6c6133d2af84d903c475fae85d84cfa8276f962e39b9f18e663316e4d400c0d78e85f31e02f623265bcb328c6

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\LRH25xKBWgUL.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            90639161a94211d95c5977e8deef8b94

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            0b87ed8b1daff00a3ce4abb9d0878ac9b6f2a826

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            50c2d8aadf36eaf6416a306b9530b55eb0b1bd5f1498c19081b7d7a837033fdd

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            0d27077eb833b5461067e83bed8d79276aaa16b50f83c3b0c53fd1242e4559a6e30f06e64c87727662833793ccda61867c68d1a6bb3e402fe7d2f2d04b228e09

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\NW9vsXkGJSbf.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            338e8c832291b085b57012f29fb1b38f

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            8256e59a9be02da925219fd59c3eac51e890d077

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            390632c0e731d9699dd3ac3fce2254727a57cd68ad840c29cd4d0e2599f8f829

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            fb22687db035f65e65be2b20dbaa126cc49a4557e84f14f5da73e14e16dbbfc51f0eb44a6e47d81c6235b9b44c201a07548e2025ba3c1d70aa5bd0b4ab9aeacf

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\PxVGb8BEKZUx.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            f43e3d3eebb0947dfa907ead3225fc33

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            bb18800c36416199833fccf964230ce0e0afe9fe

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            87cb8f92cf84be97daf1bebdc228e12f33e9d7986c52fe40ab7665a964ff44e5

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            7c0d2198e291321908bac824a026dea936a065f211a106e0ee99b80b38f34e4d378f702658908f512ca6738aca17e9a2ac5a03523af23b675b12b832ff083d00

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\QSvNRaTrjbHO.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            3e83cdc332f9e55ef971d531120499a1

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            ff6c83b06348164c48f92d5513158fda986e5c3e

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            adf9e11b3501964138ea5f6b3f36433924dcb61cce5d6b9eb3ebc161e3e5b247

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            5c8b8e6995746547ce5526c9b1fc37a957df0684296e311a2914c446ce1820a635eeaa45808c94c1c848f466d481e3c5ce2ec010ebdfe9995f0e9ed6b23a0de4

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RGPbZqG72WwD.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            4e8e258feee004e2452a862274c46877

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            5fd1830be73668fe061f6a5f40c8ff4ef8f13cf7

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            5fe797a37d20acbcf6ce75371b0032a0b1daeaeda29090eed8e94def5ca7eb89

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            e2d713d6c63dfed3605411611196dc5cf74e306fc1bf310357781cced0a7bd3e9b1e7d96f0fb54ba16af98f7da5332d74c7c37659f283bc5003bd28021cad7fe

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\TX0FiJRUuTMF.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            cf9dd02a9b5660bf1d4025a74d524e91

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            8e3bb7cf64901ac233dde4529886159e9d8d7899

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            4cc22e501591107592b1f1cc9ae311ec85ebedad11880614842d220e6dd1a61b

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            5b27a5309738b4f5af150acaeac507c47abde557cc0d1a33341d9b949253e75c7559dc49f490861f8d5b42d3ac9b7a6c62618ab69aa1675e210aa3fad15948ba

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\V0LrS5wB9xNE.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            3be7156ec15e4e16861ac138586768e6

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            304e20c2fc28a306a010d94822a55196295ca456

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            95b9ba920efe07c595ecb25527243a4c5a9b766d7c03e6b6e8546fb801e57a86

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            8fd0f926762c2d87aafc365b4e3a16168d4e72b660448e985620b0a9020c2210e6e5a6aa3795fc081295f5704cb9ab4ddb1873927a94fce83b6b474eb6edd357

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\WiGrO8cV5m6a.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            aa05e067a8c6c15b11284704f70b39cb

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            1061d56d7b6c463727dc6e403028e77b9eef2222

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            3458e31d67b6f1d689e4fb2cd47d3171e685bcda738b200c69cb3c45dd6d3049

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            a6dcd4d9e21921560ae74841ebca802407423bf5fcd068374f4feb26911d927b3c8edee2a11cf702864ed03006d4e6ad097f1c1738606249215d2977dff62662

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\WxgNQsRHxwJ5.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            26c01633e6b6cecc93380fcfdf9da8e8

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            71166af10ea8d0b317cade8aaa3098acb9dcdcab

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            4b9009ee35817e940dfee6a3f022b581d9fb2d43c0392aae62915849f659905f

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            2773b25aae864158e34a44a87feaf5a88592458f7b8b2275679e4c3ca86bc5a00c85cf176e3404128aa1840571b628d834104e89bcc62edddaa582f8e7d59fcd

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\YvaM3dzYIf8g.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            1cf8a63dc1fab983cf71af5471d228d4

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            db105425a6beee9ce6980c3de7612606ef99e22b

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            a8302b0b9bab85aaa006a3ad8021870f0d38b147e46e32271ae61d0164197aff

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            837c8f305be1d758e544dd7f10f3acc8fbabeac05390ffaa7549fcf952e8b33f4f469e75f2e7ca188b71ba3038bf3d11d647131be0382c599cd269748107a5b2

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\dYyTCmFxvhPX.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            5934bc1608e0b13e070660233ba965aa

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            03feb71ecb4ee35e3832dc9f48c92ba8c7ae5015

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            a7f404466f462699a0578a653feec7482aa6b54e720e14cb00a59e99055a4c63

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            68cda232eb3953bca33a947945dd97c709a615c74acfddb3ae3d35890c43b9386035a8e8d7a5167fa36d778a7989522ac21dd8e78fd42f51d70498e9d788d259

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\dv19qaJGWANb.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            f28157b05bc2089d4ef3e68ef1cb4dce

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            cbbc58da44f592001cdc72bbec0c86d7f6e961c1

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            83c7420265cb80ffba5f32d85c862d499d2fba982b2b2a17c49e75a456989323

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            d44351d9c514ddc0c82588f38991b0989d4a2a4e553161b40a4dd2020448d101605f45aacb04bb89415fccf41eba8c006c305a4e0a3f74d9b358f46ccade52c9

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\eR1I1nIPHH07.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            5c194ac55b90c7e5c220874c32c5787f

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            aa4c2286a1ade97fadf203d56420183b0f81b8dd

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            49cfdd1719dfe0cc5092ac107f23adb7ffca416cb9945d04d5ed7bfd7e0c8b99

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            95ec0a250bf352fec3e4e3fe2d5f161627f00b3d994d7a4751368bba256f08c98eead0215fbaa832416f7118178c108f5f48daa023ac6a08eb4889f5d1207630

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\gEfCj2jbV2vK.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            ff43018e1549481d8a50a7c9d338c005

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            b310161c7e0c74bcb5b617434a18e9b6472cad73

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            c50952f51a718aedd5932b16c54901f93593e9e375d4d167ef169c9324f3adab

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            3bf2467bd632f6bf5f0e93c9c260a10210e36f806643db1493470d0cb7f02d06c88968f11a43450c9689fe283d29abf09f94c0bdeb5745612e00baeda4daacc8

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\iGci9aisTcue.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            8c5e77ed346ede7e815d224230f491b2

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            e415f36a25086d606b2db13cacce713d80adf08e

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            cc969e5e9463d8da2d5658496a8109053838a79a8f13a285382d266f6d323860

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            8baa30bfc0dd639a6121c3dca2c048a1d9ee6e38deda2ab5fa7201486381717ab39e0ec78d7a33c466a3f1c8902b8561c9ae9d3bf4c3cb6cb86266c242688d71

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\lo8ZiCNxyyKt.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            affe84edb93c0a346235d96e160b5b6b

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            3c831f2a04505b1a966969c261d6fa5f55fb8b3b

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            9f3f6795d1f86299f536a8a69b3311871b4ce066b2aa327c1d79785db6854bca

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            c33af6a2d450d8d9cb66cfb2037bb0b9c074fc46f41f2e784a00958db13a55bbb8d9d5d64501106dd92e550b54307de30a4b1a78245cf57a38470695be6efe4a

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\oT8nYospzh4b.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            72c02f51a442f6abaf1acdf57d91bdee

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            c9752c727a96b91109cc3d17176d6597e6b6f086

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            fd6993fde539872c0a35fdf547445260565def8391e29c3e698418fa17254004

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            1db391dc0a1a52609ed80a4ec5cec539f13c1dfe8ecfd5718baa103e8f54e1340e82d5093005436fce764a992dae24c7b02862d50a4b80fe4ae2aa2c8e3b90d5

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\qrEswbB7h5AM.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            b6edf31273a503849a92e89439b5f52a

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            6e858a71d020349712aecf8814cea24f305889cc

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            a909cc7875c860634536204525304c3246132d80e024b979c075b5fd39317c74

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            3ef257aca2c0575c09e3083fd1fe0004b43e4ab5d47c78b64581e699299ced0b2aa08b49607dfc3361851bc11fbc6338656df47bfe3ac8e23ca33c303a714f9a

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\sriuu7QuOuq1.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            ded3417c5b9a2d18d22fc9c2b81220da

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            0274d3f55955c43a31e9850bffa7685283d533e2

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            b6ae77733abca4a06c681bdc5b346c1bcc7dd6eda2b42dd1fb85dddfd7d5bf8f

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            49dcb740da82a3c03a3e49977674ca3259854360b968d2cad6753c9efc0fa1b073a36566e295be60cb6ec11748d23e52e97ef1046d49f569afab5f0e8c5536ac

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\tMlBTtgjkhLD.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            b890c077e5b4301b10744ba33af502cb

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            3f84d4192d444dd6418404c4cfadec34e1c1a2f7

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            e5a4b4f24a89aba99bb54098f15403a3c75de3b2b0b3e7c45332913bb5c8a587

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            687b3cb3ada0fed3a8d75340023759a5366e58fb4700fdf46090c9e13c86ef9fa3b02deb77ed7a839c2c354bc92b4e5a28b25422b325258c4e5958e418996138

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\uSiFwlpTA2Zu.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            9fee9804c01fe88ad52bbd401441d8d0

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            cd6b6fae638255c003c405bff5a7bfba00933349

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            eafbbfe7cde77651bea3e22c93529a6897c97ccbeb317247abbc42c187215ee1

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            c65c19d5b4d471c651179b629c4455e1dabc1f8330550ffd8c9154b8d6d8b9b84ca45b0847b16131d9c2ac8fcbf7ccdbb5f29391e1189482cd691fb81e2a1556

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\x6i2T9ygz6Gx.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            8fc640d3e1d76d4b48d975b9b5ebc6c9

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            b2d3b7a7002ad3d8af66197607112ebe18e2079f

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            56e03909b36dcedaabb57576f3c024ac58382eeea1663f5429656055e2c54452

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            9e205f9c77f963fdd1c47ec1aece1d213d70b185bd1612cde5ba9df5a2d201dbf0d855cee41cc58be2db30b31c76b0fbb30747a9d19c6ed5acae79233c423f2d

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\xQ5cykvDGbg8.bat

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            203B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            e371a50512daab36760f1994e4a843e5

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            1069f9dd79f0502de3a4789489ce467d62ce3f4e

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            0b5f04100ea968b79f327a886b6d59fb3834c1758d712067dc5e9c6499a1417b

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            5e112edfb383cbee17c302995cbc14496748b9e628e2514b60c919c2cdb551ae65de3f4a3882eeeafaace9c8b09079760c86a2537e9a66c2e81ab9d10137f3cf

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            224B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            1e74f3e2a666c98f91ac38c8b732f97e

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            81c1e1854a9e09e319acd695aa4dd0157c029d5a

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            3ca82d2e8c2fce2571aba8d935cb1e09f968f8e46c8eeadd428f46f9c0f0fcd1

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            110b1420ebfa42816695ceaa32d2751558be937dafc1be03747f5765b3c432d98294bd34cfc5e285146ffc6f3228e10a365e3af249581662c8b7389f245717d9

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            224B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            1fb2b72d7ed0dff58d26f4c59281c611

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            61acc118b16c1458cbd3193e39cd7cd080b56ea1

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            42471dba37b34bdcad79cec3b77217a95f33e10d0cbea627b613ffcce9fad40d

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            bd68efa72023828fee441a53e09fedfae01c049bc6a55343532f2706650004f6dd17b74d2216ddd7ad9c40aeb17e0284aee562e0fd5f46e7d6975815efd8e3a3

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            224B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            6bb586dee0262ca4bceba7498a34700f

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            675682d0259a4441d8d9ee8435db8dbfafa1ef31

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            8de3d108d1e99cf0147fbd3095a6761fce82c4da8315c85791fbf32a520ae77e

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            0ace6d9bac51408da3a5f32526a0a8dd3d4e14b4aba4e57b230832a90ed5753aa8baf1fc5fa433dbf231f149bf1b0eeaffed9235eccdd34f2f412a8ec751d312

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            224B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            4a65391798a6f18d2c1745bc0dd22eef

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            7f0e3a4b1bd5e3de5dbafdec03e5304d02a6bd94

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            e23a4a129432c57e7cf1b2aaa3421f6b36afd881fbbb028b0d0994a1eb68466e

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            9c2caeb923ea953510d6c7aa072d28c9516d808e215167625148d15c35733b98afac03f40d2515556076d226b258d00ca7ab199850f159af786243a671489711

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            224B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            a2abaa4d7caed3d27b81c7924cf3e882

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            d40dec701c0504978fb9d47e52835a4fce464cb3

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            a6dca8f61cd94de1107beca1d417446a4bf677521c1758f96198c4b101f1ac04

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            c2d5f8f2c814db548b9558ed884791cbcebf5d2cf25595f185d639297abdd2a95a396df51c19e160b148f3c83d65f51a7c1a768c4d207697727875146711a3b4

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            224B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            d2e2d87de1d932a18fe8c33b41a75ae1

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            881ae4122e642ff2933401126b5f65b68374e198

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            af1291deed57ee0d9e7d05366e3aae8d9fb863f08c99137a2afdf13beaf933d6

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            6c87fd45232631c4dcbf8611540925de00c228acef560cb783a67ec85c8a18a29d9b41e451c03dfa01e382cd74af110575d9a0177b7d64f7ffffd33f411a4777

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            224B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            20f22f5fed41ef7d3afd4665e73a177d

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            3e53aab417f7b42503b307290920fe3787ad7aa3

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            94af0b07a82fe9d61ada860b7ac59f81da0f057e38c2e6d88749fc734dc10e20

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            04e9eff0d97542a551508739f04779950d45a0166d94f3ee38ae3556e44fe930e34ca5a27f52417615fce231d1f365e27f74ab845d1475f02afaf144c128beda

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            224B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            110165161415ffa6aa2c013e371cefd4

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            0b96b1d3fe3faab58dc9a367b54a1878f41c1b10

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            c81933d712a1bf1c424b247aa107a76b11f7019e3c47e554172190a62330520c

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            a80ec6b53594dfa58428caa81f70f413cda93e2a0bcc508e7f4c8d9220735ad886d193c0a75be8613d2a80d6cd27f6575b98b48b41bb5524c51659b30630dfa1

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            224B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            747bbb4766d06fdd2c491e29455fe316

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            a176ef5ae9bda4c7715ec5ee44b32eb777bb6a99

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            157b8cd64e721b4faae0a2057b61af19dea121e7ce06d32f7ea7094ffee07c75

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            f6c33a28ea1ee8af49d572264c334ae2ae0d103c9aefb8c9d70bceb132529c7c31d9d8e0267bcaeedc0c4433d9a4568852fc768d1fde753f76333b7b147b83d7

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            224B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            3b647d06ee5b8ecb7ccdb656c78f1be3

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            ea7a7c4198231e2edb79106cd1bbb1df10b3e32c

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            b3c7e42a2668263b679d3bcd9b96d0907232778f308469ce288309d3db2bdfdb

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            5db4fa0c4da36b2c2ae25c38c539f65f558bdc43b9368461b5485454f34b7c6f56fa260933fe89d8f35d9297a0859ab091aa6fea53e8b805871479adaeff9f84

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            224B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            3393e4f84bf10eb5686087b3e2ef2415

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            f3da4b873a57e4632ad0e60f5a3a0bc2bb990207

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            bf8a8a9b0f6681f778d0e94d3c8640075a98f26ffcfd9b30efb2730b4169aa03

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            b5a961af676bd908a730067497b5a74e3d17a558bc69ea1be1899199a997036674239fb641505895fe76c37229742f60eff3ee0416cd67f98ddd0253a98fb831

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            224B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            233f920d0319012b6bcbcc248f424c1a

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            4fecca333360b13db2a3c2c6aaf40aac121ac3ff

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            a16a28e27e20554971fac5ce4cc1de675d0d2a5894d7b16de2731e89d749666f

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            99a341e3122406246d0aebeb3db5377d215ff0e18562d343f1cfbec7e58d4befa80b3e971c301f665178dc5a87f32894c186df69c065441baa169fefd7da7106

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            224B

                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                            63cd273e4a53bea1e98ec10b9674d10f

                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                            e08856f3164c373a245f27275b9966b261a40236

                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                            be7b738b671c63209caa1e383751f5b7e4aa9587c729e9cee2d1368b7b66926c

                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                            fa03f14e34d597264eb63640c7b61c09be93fa687706f00e505acded125c3511fc592fa33a938580c76489da9bec83b385a1782200d49f02bb80341cb83695bc

                                                                                                                                                                                                                                                                                          • memory/1040-17-0x0000000074540000-0x0000000074CF0000-memory.dmp

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            7.7MB

                                                                                                                                                                                                                                                                                          • memory/1040-24-0x0000000074540000-0x0000000074CF0000-memory.dmp

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            7.7MB

                                                                                                                                                                                                                                                                                          • memory/1040-16-0x0000000074540000-0x0000000074CF0000-memory.dmp

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            7.7MB

                                                                                                                                                                                                                                                                                          • memory/4500-6-0x0000000006020000-0x0000000006032000-memory.dmp

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            72KB

                                                                                                                                                                                                                                                                                          • memory/4500-10-0x0000000006B00000-0x0000000006B0A000-memory.dmp

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            40KB

                                                                                                                                                                                                                                                                                          • memory/4500-8-0x0000000074540000-0x0000000074CF0000-memory.dmp

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            7.7MB

                                                                                                                                                                                                                                                                                          • memory/4500-7-0x000000007454E000-0x000000007454F000-memory.dmp

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                          • memory/4500-0-0x000000007454E000-0x000000007454F000-memory.dmp

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                          • memory/4500-5-0x0000000005200000-0x0000000005266000-memory.dmp

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            408KB

                                                                                                                                                                                                                                                                                          • memory/4500-15-0x0000000074540000-0x0000000074CF0000-memory.dmp

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            7.7MB

                                                                                                                                                                                                                                                                                          • memory/4500-4-0x0000000074540000-0x0000000074CF0000-memory.dmp

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            7.7MB

                                                                                                                                                                                                                                                                                          • memory/4500-3-0x00000000052C0000-0x0000000005352000-memory.dmp

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            584KB

                                                                                                                                                                                                                                                                                          • memory/4500-2-0x0000000005870000-0x0000000005E14000-memory.dmp

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            5.6MB

                                                                                                                                                                                                                                                                                          • memory/4500-1-0x0000000000790000-0x00000000007FC000-memory.dmp

                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                            432KB