Malware Analysis Report

2024-10-19 06:32

Sample ID 240627-1qqv3svhmp
Target Loader.exe
SHA256 90a58064c6df293fc564fa5b616c737f6fd31f6288433da2030ec56d6dc46962
Tags
seroxen quasar persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

90a58064c6df293fc564fa5b616c737f6fd31f6288433da2030ec56d6dc46962

Threat Level: Known bad

The file Loader.exe was found to be: Known bad.

Malicious Activity Summary

seroxen quasar persistence spyware trojan

Quasar RAT

Quasar family

Quasar payload

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-27 21:51

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 21:51

Reported

2024-06-27 22:09

Platform

win10v2004-20240508-en

Max time kernel

1043s

Max time network

1047s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Anti-Malware Disable Startup = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Loader.exe\"" C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4500 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\schtasks.exe
PID 4500 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\schtasks.exe
PID 4500 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\schtasks.exe
PID 4500 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5060 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5060 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5060 wrote to memory of 3264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5060 wrote to memory of 3264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5060 wrote to memory of 3264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5060 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 5060 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 5060 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1040 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\schtasks.exe
PID 1040 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\schtasks.exe
PID 1040 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\schtasks.exe
PID 1040 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1040 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1040 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 4988 wrote to memory of 4604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4988 wrote to memory of 4604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4988 wrote to memory of 4604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4988 wrote to memory of 4044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4988 wrote to memory of 4044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4988 wrote to memory of 4044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4988 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 4988 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 4988 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 4428 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\schtasks.exe
PID 4428 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\schtasks.exe
PID 4428 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\schtasks.exe
PID 4428 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 4352 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4352 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4352 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4352 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4352 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4352 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4352 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 4352 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 4352 wrote to memory of 3936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 3936 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\schtasks.exe
PID 3936 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\schtasks.exe
PID 3936 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\schtasks.exe
PID 3936 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 3936 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 3936 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4824 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4824 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4824 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4824 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4824 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4824 wrote to memory of 3200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 4824 wrote to memory of 3200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 4824 wrote to memory of 3200 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 3200 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\schtasks.exe
PID 3200 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\schtasks.exe
PID 3200 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\schtasks.exe
PID 3200 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGci9aisTcue.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4500 -ip 4500

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1692

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FBobXFTs1JH3.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1040 -ip 1040

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1644

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YvaM3dzYIf8g.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4428 -ip 4428

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 2196

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NW9vsXkGJSbf.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3936 -ip 3936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 2196

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TX0FiJRUuTMF.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3200 -ip 3200

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 1604

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sriuu7QuOuq1.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4312 -ip 4312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oT8nYospzh4b.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4584 -ip 4584

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1712

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LRH25xKBWgUL.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4200 -ip 4200

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 1708

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiGrO8cV5m6a.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2916 -ip 2916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1708

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x6i2T9ygz6Gx.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2372 -ip 2372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 2252

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qrEswbB7h5AM.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3216 -ip 3216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 1084

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eR1I1nIPHH07.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1808 -ip 1808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSvNRaTrjbHO.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3180 -ip 3180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQ5cykvDGbg8.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2136 -ip 2136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 2248

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dv19qaJGWANb.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2304 -ip 2304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1720

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQxgiRiKmi44.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3744 -ip 3744

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 2248

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYK7v4vdaIsR.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1656 -ip 1656

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGPbZqG72WwD.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2748 -ip 2748

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 2248

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WxgNQsRHxwJ5.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2812 -ip 2812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 2232

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEfCj2jbV2vK.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4572 -ip 4572

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1096

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSiFwlpTA2Zu.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4116 -ip 4116

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1668

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1AnkaXAxbGdg.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 436 -ip 436

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 1708

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSZJfScaf9xq.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3492 -ip 3492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\41NikejsFLmb.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4476 -ip 4476

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1720

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FlGxBAEgCNXH.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 2252

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PxVGb8BEKZUx.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1276 -ip 1276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMlBTtgjkhLD.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2360 -ip 2360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 2236

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAWI7lul1NFB.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4052 -ip 4052

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 1096

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYyTCmFxvhPX.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3744 -ip 3744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 2248

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lo8ZiCNxyyKt.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5024 -ip 5024

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCakoDi9sIUF.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2740 -ip 2740

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 2248

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V0LrS5wB9xNE.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4856 -ip 4856

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 1720

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EW576fVYvKla.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4900 -ip 4900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 2248

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hPh7xsSpWcor.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1664 -ip 1664

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1096

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jbo43i0uk5Io.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3236 -ip 3236

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 2248

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uci9TVBMDPZ5.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3632 -ip 3632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juViZQdzHJsF.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 732 -ip 732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d0GfCYWg4GIp.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1448 -ip 1448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 1712

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P5tGVY2txUFf.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3140 -ip 3140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCTyvR5tFFM9.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 2200

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POau1GezUip6.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1348 -ip 1348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 2248

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiIZD4ePx8Kt.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2276 -ip 2276

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gJuj50v138qY.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4216 -ip 4216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 2232

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUDwO6Kmmndb.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3476 -ip 3476

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 2232

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RV61otUEE7us.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1632 -ip 1632

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HbYLucAld9Xd.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3300 -ip 3300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 2248

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IH1NzuBc2mDb.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3180 -ip 3180

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 1708

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AscWqqSE8lkG.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3684 -ip 3684

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp

Files

memory/4500-0-0x000000007454E000-0x000000007454F000-memory.dmp

memory/4500-1-0x0000000000790000-0x00000000007FC000-memory.dmp

memory/4500-2-0x0000000005870000-0x0000000005E14000-memory.dmp

memory/4500-3-0x00000000052C0000-0x0000000005352000-memory.dmp

memory/4500-4-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/4500-5-0x0000000005200000-0x0000000005266000-memory.dmp

memory/4500-6-0x0000000006020000-0x0000000006032000-memory.dmp

memory/4500-7-0x000000007454E000-0x000000007454F000-memory.dmp

memory/4500-8-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/4500-10-0x0000000006B00000-0x0000000006B0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iGci9aisTcue.bat

MD5 8c5e77ed346ede7e815d224230f491b2
SHA1 e415f36a25086d606b2db13cacce713d80adf08e
SHA256 cc969e5e9463d8da2d5658496a8109053838a79a8f13a285382d266f6d323860
SHA512 8baa30bfc0dd639a6121c3dca2c048a1d9ee6e38deda2ab5fa7201486381717ab39e0ec78d7a33c466a3f1c8902b8561c9ae9d3bf4c3cb6cb86266c242688d71

memory/4500-15-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/1040-16-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/1040-17-0x0000000074540000-0x0000000074CF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 a2abaa4d7caed3d27b81c7924cf3e882
SHA1 d40dec701c0504978fb9d47e52835a4fce464cb3
SHA256 a6dca8f61cd94de1107beca1d417446a4bf677521c1758f96198c4b101f1ac04
SHA512 c2d5f8f2c814db548b9558ed884791cbcebf5d2cf25595f185d639297abdd2a95a396df51c19e160b148f3c83d65f51a7c1a768c4d207697727875146711a3b4

C:\Users\Admin\AppData\Local\Temp\FBobXFTs1JH3.bat

MD5 c78279bf5dbd62c10cf195dc200215c8
SHA1 f99bb367bbe129fda5148cb597391007350cd8b7
SHA256 7515c21dd6a40dd3e4209bf03e36d4a6fa0775e8ad957d88df33db5d7f165303
SHA512 810e392d2e872d9d374b7d58c2fd6c2e8d1843243c95672c9b0739514d2bfd2656504d8d90d08379dc58e6766233bee6a5a2f2d9ccfb0b7c48d7068dd29589d6

memory/1040-24-0x0000000074540000-0x0000000074CF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 20f22f5fed41ef7d3afd4665e73a177d
SHA1 3e53aab417f7b42503b307290920fe3787ad7aa3
SHA256 94af0b07a82fe9d61ada860b7ac59f81da0f057e38c2e6d88749fc734dc10e20
SHA512 04e9eff0d97542a551508739f04779950d45a0166d94f3ee38ae3556e44fe930e34ca5a27f52417615fce231d1f365e27f74ab845d1475f02afaf144c128beda

C:\Users\Admin\AppData\Local\Temp\YvaM3dzYIf8g.bat

MD5 1cf8a63dc1fab983cf71af5471d228d4
SHA1 db105425a6beee9ce6980c3de7612606ef99e22b
SHA256 a8302b0b9bab85aaa006a3ad8021870f0d38b147e46e32271ae61d0164197aff
SHA512 837c8f305be1d758e544dd7f10f3acc8fbabeac05390ffaa7549fcf952e8b33f4f469e75f2e7ca188b71ba3038bf3d11d647131be0382c599cd269748107a5b2

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 110165161415ffa6aa2c013e371cefd4
SHA1 0b96b1d3fe3faab58dc9a367b54a1878f41c1b10
SHA256 c81933d712a1bf1c424b247aa107a76b11f7019e3c47e554172190a62330520c
SHA512 a80ec6b53594dfa58428caa81f70f413cda93e2a0bcc508e7f4c8d9220735ad886d193c0a75be8613d2a80d6cd27f6575b98b48b41bb5524c51659b30630dfa1

C:\Users\Admin\AppData\Local\Temp\NW9vsXkGJSbf.bat

MD5 338e8c832291b085b57012f29fb1b38f
SHA1 8256e59a9be02da925219fd59c3eac51e890d077
SHA256 390632c0e731d9699dd3ac3fce2254727a57cd68ad840c29cd4d0e2599f8f829
SHA512 fb22687db035f65e65be2b20dbaa126cc49a4557e84f14f5da73e14e16dbbfc51f0eb44a6e47d81c6235b9b44c201a07548e2025ba3c1d70aa5bd0b4ab9aeacf

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 747bbb4766d06fdd2c491e29455fe316
SHA1 a176ef5ae9bda4c7715ec5ee44b32eb777bb6a99
SHA256 157b8cd64e721b4faae0a2057b61af19dea121e7ce06d32f7ea7094ffee07c75
SHA512 f6c33a28ea1ee8af49d572264c334ae2ae0d103c9aefb8c9d70bceb132529c7c31d9d8e0267bcaeedc0c4433d9a4568852fc768d1fde753f76333b7b147b83d7

C:\Users\Admin\AppData\Local\Temp\TX0FiJRUuTMF.bat

MD5 cf9dd02a9b5660bf1d4025a74d524e91
SHA1 8e3bb7cf64901ac233dde4529886159e9d8d7899
SHA256 4cc22e501591107592b1f1cc9ae311ec85ebedad11880614842d220e6dd1a61b
SHA512 5b27a5309738b4f5af150acaeac507c47abde557cc0d1a33341d9b949253e75c7559dc49f490861f8d5b42d3ac9b7a6c62618ab69aa1675e210aa3fad15948ba

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 3b647d06ee5b8ecb7ccdb656c78f1be3
SHA1 ea7a7c4198231e2edb79106cd1bbb1df10b3e32c
SHA256 b3c7e42a2668263b679d3bcd9b96d0907232778f308469ce288309d3db2bdfdb
SHA512 5db4fa0c4da36b2c2ae25c38c539f65f558bdc43b9368461b5485454f34b7c6f56fa260933fe89d8f35d9297a0859ab091aa6fea53e8b805871479adaeff9f84

C:\Users\Admin\AppData\Local\Temp\sriuu7QuOuq1.bat

MD5 ded3417c5b9a2d18d22fc9c2b81220da
SHA1 0274d3f55955c43a31e9850bffa7685283d533e2
SHA256 b6ae77733abca4a06c681bdc5b346c1bcc7dd6eda2b42dd1fb85dddfd7d5bf8f
SHA512 49dcb740da82a3c03a3e49977674ca3259854360b968d2cad6753c9efc0fa1b073a36566e295be60cb6ec11748d23e52e97ef1046d49f569afab5f0e8c5536ac

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 3393e4f84bf10eb5686087b3e2ef2415
SHA1 f3da4b873a57e4632ad0e60f5a3a0bc2bb990207
SHA256 bf8a8a9b0f6681f778d0e94d3c8640075a98f26ffcfd9b30efb2730b4169aa03
SHA512 b5a961af676bd908a730067497b5a74e3d17a558bc69ea1be1899199a997036674239fb641505895fe76c37229742f60eff3ee0416cd67f98ddd0253a98fb831

C:\Users\Admin\AppData\Local\Temp\oT8nYospzh4b.bat

MD5 72c02f51a442f6abaf1acdf57d91bdee
SHA1 c9752c727a96b91109cc3d17176d6597e6b6f086
SHA256 fd6993fde539872c0a35fdf547445260565def8391e29c3e698418fa17254004
SHA512 1db391dc0a1a52609ed80a4ec5cec539f13c1dfe8ecfd5718baa103e8f54e1340e82d5093005436fce764a992dae24c7b02862d50a4b80fe4ae2aa2c8e3b90d5

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 233f920d0319012b6bcbcc248f424c1a
SHA1 4fecca333360b13db2a3c2c6aaf40aac121ac3ff
SHA256 a16a28e27e20554971fac5ce4cc1de675d0d2a5894d7b16de2731e89d749666f
SHA512 99a341e3122406246d0aebeb3db5377d215ff0e18562d343f1cfbec7e58d4befa80b3e971c301f665178dc5a87f32894c186df69c065441baa169fefd7da7106

C:\Users\Admin\AppData\Local\Temp\LRH25xKBWgUL.bat

MD5 90639161a94211d95c5977e8deef8b94
SHA1 0b87ed8b1daff00a3ce4abb9d0878ac9b6f2a826
SHA256 50c2d8aadf36eaf6416a306b9530b55eb0b1bd5f1498c19081b7d7a837033fdd
SHA512 0d27077eb833b5461067e83bed8d79276aaa16b50f83c3b0c53fd1242e4559a6e30f06e64c87727662833793ccda61867c68d1a6bb3e402fe7d2f2d04b228e09

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\WiGrO8cV5m6a.bat

MD5 aa05e067a8c6c15b11284704f70b39cb
SHA1 1061d56d7b6c463727dc6e403028e77b9eef2222
SHA256 3458e31d67b6f1d689e4fb2cd47d3171e685bcda738b200c69cb3c45dd6d3049
SHA512 a6dcd4d9e21921560ae74841ebca802407423bf5fcd068374f4feb26911d927b3c8edee2a11cf702864ed03006d4e6ad097f1c1738606249215d2977dff62662

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 63cd273e4a53bea1e98ec10b9674d10f
SHA1 e08856f3164c373a245f27275b9966b261a40236
SHA256 be7b738b671c63209caa1e383751f5b7e4aa9587c729e9cee2d1368b7b66926c
SHA512 fa03f14e34d597264eb63640c7b61c09be93fa687706f00e505acded125c3511fc592fa33a938580c76489da9bec83b385a1782200d49f02bb80341cb83695bc

C:\Users\Admin\AppData\Local\Temp\x6i2T9ygz6Gx.bat

MD5 8fc640d3e1d76d4b48d975b9b5ebc6c9
SHA1 b2d3b7a7002ad3d8af66197607112ebe18e2079f
SHA256 56e03909b36dcedaabb57576f3c024ac58382eeea1663f5429656055e2c54452
SHA512 9e205f9c77f963fdd1c47ec1aece1d213d70b185bd1612cde5ba9df5a2d201dbf0d855cee41cc58be2db30b31c76b0fbb30747a9d19c6ed5acae79233c423f2d

C:\Users\Admin\AppData\Local\Temp\qrEswbB7h5AM.bat

MD5 b6edf31273a503849a92e89439b5f52a
SHA1 6e858a71d020349712aecf8814cea24f305889cc
SHA256 a909cc7875c860634536204525304c3246132d80e024b979c075b5fd39317c74
SHA512 3ef257aca2c0575c09e3083fd1fe0004b43e4ab5d47c78b64581e699299ced0b2aa08b49607dfc3361851bc11fbc6338656df47bfe3ac8e23ca33c303a714f9a

C:\Users\Admin\AppData\Local\Temp\eR1I1nIPHH07.bat

MD5 5c194ac55b90c7e5c220874c32c5787f
SHA1 aa4c2286a1ade97fadf203d56420183b0f81b8dd
SHA256 49cfdd1719dfe0cc5092ac107f23adb7ffca416cb9945d04d5ed7bfd7e0c8b99
SHA512 95ec0a250bf352fec3e4e3fe2d5f161627f00b3d994d7a4751368bba256f08c98eead0215fbaa832416f7118178c108f5f48daa023ac6a08eb4889f5d1207630

C:\Users\Admin\AppData\Local\Temp\QSvNRaTrjbHO.bat

MD5 3e83cdc332f9e55ef971d531120499a1
SHA1 ff6c83b06348164c48f92d5513158fda986e5c3e
SHA256 adf9e11b3501964138ea5f6b3f36433924dcb61cce5d6b9eb3ebc161e3e5b247
SHA512 5c8b8e6995746547ce5526c9b1fc37a957df0684296e311a2914c446ce1820a635eeaa45808c94c1c848f466d481e3c5ce2ec010ebdfe9995f0e9ed6b23a0de4

C:\Users\Admin\AppData\Local\Temp\xQ5cykvDGbg8.bat

MD5 e371a50512daab36760f1994e4a843e5
SHA1 1069f9dd79f0502de3a4789489ce467d62ce3f4e
SHA256 0b5f04100ea968b79f327a886b6d59fb3834c1758d712067dc5e9c6499a1417b
SHA512 5e112edfb383cbee17c302995cbc14496748b9e628e2514b60c919c2cdb551ae65de3f4a3882eeeafaace9c8b09079760c86a2537e9a66c2e81ab9d10137f3cf

C:\Users\Admin\AppData\Local\Temp\dv19qaJGWANb.bat

MD5 f28157b05bc2089d4ef3e68ef1cb4dce
SHA1 cbbc58da44f592001cdc72bbec0c86d7f6e961c1
SHA256 83c7420265cb80ffba5f32d85c862d499d2fba982b2b2a17c49e75a456989323
SHA512 d44351d9c514ddc0c82588f38991b0989d4a2a4e553161b40a4dd2020448d101605f45aacb04bb89415fccf41eba8c006c305a4e0a3f74d9b358f46ccade52c9

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 1e74f3e2a666c98f91ac38c8b732f97e
SHA1 81c1e1854a9e09e319acd695aa4dd0157c029d5a
SHA256 3ca82d2e8c2fce2571aba8d935cb1e09f968f8e46c8eeadd428f46f9c0f0fcd1
SHA512 110b1420ebfa42816695ceaa32d2751558be937dafc1be03747f5765b3c432d98294bd34cfc5e285146ffc6f3228e10a365e3af249581662c8b7389f245717d9

C:\Users\Admin\AppData\Local\Temp\JQxgiRiKmi44.bat

MD5 6c70e6fda494ebaaaf15d60a9f2dfb21
SHA1 d4ee40e859abcfbe1d66fc711be4a13be9c75f1f
SHA256 fbb5860fce7260df908874ea57777418a6557a622bb02a36775467e25b4f5ac2
SHA512 80349fe1c14dadc0e0197072f8f98f9284a31cd928c29d8db8888b8586b32900ecfcfaff30bab8b000d5121862643d4d7437767cced04947f6a281f35f1fc1dd

C:\Users\Admin\AppData\Local\Temp\KYK7v4vdaIsR.bat

MD5 733eae6db4af4aa0d9b65730f1dfaed0
SHA1 c3fe25a621ffaf5a7724b3f5c11f3b1a468997ef
SHA256 03ccb66272c1d1e3bd634f8012541b9b0ed6b992b6e42ef2b77fc3b6aaf971b8
SHA512 605b95c207cfa757d9a596c2e292d3c42e241be6c6133d2af84d903c475fae85d84cfa8276f962e39b9f18e663316e4d400c0d78e85f31e02f623265bcb328c6

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 1fb2b72d7ed0dff58d26f4c59281c611
SHA1 61acc118b16c1458cbd3193e39cd7cd080b56ea1
SHA256 42471dba37b34bdcad79cec3b77217a95f33e10d0cbea627b613ffcce9fad40d
SHA512 bd68efa72023828fee441a53e09fedfae01c049bc6a55343532f2706650004f6dd17b74d2216ddd7ad9c40aeb17e0284aee562e0fd5f46e7d6975815efd8e3a3

C:\Users\Admin\AppData\Local\Temp\RGPbZqG72WwD.bat

MD5 4e8e258feee004e2452a862274c46877
SHA1 5fd1830be73668fe061f6a5f40c8ff4ef8f13cf7
SHA256 5fe797a37d20acbcf6ce75371b0032a0b1daeaeda29090eed8e94def5ca7eb89
SHA512 e2d713d6c63dfed3605411611196dc5cf74e306fc1bf310357781cced0a7bd3e9b1e7d96f0fb54ba16af98f7da5332d74c7c37659f283bc5003bd28021cad7fe

C:\Users\Admin\AppData\Local\Temp\WxgNQsRHxwJ5.bat

MD5 26c01633e6b6cecc93380fcfdf9da8e8
SHA1 71166af10ea8d0b317cade8aaa3098acb9dcdcab
SHA256 4b9009ee35817e940dfee6a3f022b581d9fb2d43c0392aae62915849f659905f
SHA512 2773b25aae864158e34a44a87feaf5a88592458f7b8b2275679e4c3ca86bc5a00c85cf176e3404128aa1840571b628d834104e89bcc62edddaa582f8e7d59fcd

C:\Users\Admin\AppData\Local\Temp\gEfCj2jbV2vK.bat

MD5 ff43018e1549481d8a50a7c9d338c005
SHA1 b310161c7e0c74bcb5b617434a18e9b6472cad73
SHA256 c50952f51a718aedd5932b16c54901f93593e9e375d4d167ef169c9324f3adab
SHA512 3bf2467bd632f6bf5f0e93c9c260a10210e36f806643db1493470d0cb7f02d06c88968f11a43450c9689fe283d29abf09f94c0bdeb5745612e00baeda4daacc8

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 6bb586dee0262ca4bceba7498a34700f
SHA1 675682d0259a4441d8d9ee8435db8dbfafa1ef31
SHA256 8de3d108d1e99cf0147fbd3095a6761fce82c4da8315c85791fbf32a520ae77e
SHA512 0ace6d9bac51408da3a5f32526a0a8dd3d4e14b4aba4e57b230832a90ed5753aa8baf1fc5fa433dbf231f149bf1b0eeaffed9235eccdd34f2f412a8ec751d312

C:\Users\Admin\AppData\Local\Temp\uSiFwlpTA2Zu.bat

MD5 9fee9804c01fe88ad52bbd401441d8d0
SHA1 cd6b6fae638255c003c405bff5a7bfba00933349
SHA256 eafbbfe7cde77651bea3e22c93529a6897c97ccbeb317247abbc42c187215ee1
SHA512 c65c19d5b4d471c651179b629c4455e1dabc1f8330550ffd8c9154b8d6d8b9b84ca45b0847b16131d9c2ac8fcbf7ccdbb5f29391e1189482cd691fb81e2a1556

C:\Users\Admin\AppData\Local\Temp\1AnkaXAxbGdg.bat

MD5 b1c216147c028f355c8f54da8a240439
SHA1 8c4fbb896d09b5d677994173e0a8c9bfaca0a6bb
SHA256 f69e6f46e412a66bfc249a1be3e9c97397fb5ab3b101a45124738fdb4870b328
SHA512 cee566e48820dcbd09e1e6582a19c44d7c29dc4b60d62e29e132dcdcd4e3497fb9e8a2ea3edf7aa1490bf448b97b969b8fd17d5975e97950377815ebb3647dfd

C:\Users\Admin\AppData\Local\Temp\GSZJfScaf9xq.bat

MD5 269615fc77292bd2771bb3ced741d92c
SHA1 a9bb30649da8e3c929e9a742812ef1e10a1663b1
SHA256 ce0f1ee3a90251faadf4a9148b1b3a6735ccdabda0e54a98f7e311cc48887576
SHA512 80065040cfedf8d9da398be0a5f3bfce9ee6f1fe667b9cdbb1ba461177887dee4adfd38f94f0d14824e04ae47f157820f37fb83bc44126675653cef4285c306e

C:\Users\Admin\AppData\Local\Temp\41NikejsFLmb.bat

MD5 3f7aaeb27319ede2e954381c0dbb35d2
SHA1 7875aabc096bb3eec685b5990aea82a676a958eb
SHA256 7d90e954df8129ca568830dd8c358cb4b49e7c74c42aecd5151ca2c393dd9eb1
SHA512 479023f3a14efecfadb039a0a72c31440686319af26f367c4ce24e83bce9b654b213f667f30723334a0f8748ac10266d895d99e789e5627dc81cb3b0f8910079

C:\Users\Admin\AppData\Local\Temp\FlGxBAEgCNXH.bat

MD5 1e88989430cd42f44a05d545b8917ecd
SHA1 7cc0826df1a4ef1047f54cfdaa6baf74792a8e89
SHA256 83bf3ab9b886c2df4cd47859e6d396a33ffa54e676219f4fd389000b67a1a8a2
SHA512 6ac428c7d1d1cfb67fb5d3b09ca9464d6790894ea784b23d74847c792b02bf847e96a4ab5987aadcc493c6d20b643c4e902e64805f20eabca7b1c6ec589f120c

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 4a65391798a6f18d2c1745bc0dd22eef
SHA1 7f0e3a4b1bd5e3de5dbafdec03e5304d02a6bd94
SHA256 e23a4a129432c57e7cf1b2aaa3421f6b36afd881fbbb028b0d0994a1eb68466e
SHA512 9c2caeb923ea953510d6c7aa072d28c9516d808e215167625148d15c35733b98afac03f40d2515556076d226b258d00ca7ab199850f159af786243a671489711

C:\Users\Admin\AppData\Local\Temp\PxVGb8BEKZUx.bat

MD5 f43e3d3eebb0947dfa907ead3225fc33
SHA1 bb18800c36416199833fccf964230ce0e0afe9fe
SHA256 87cb8f92cf84be97daf1bebdc228e12f33e9d7986c52fe40ab7665a964ff44e5
SHA512 7c0d2198e291321908bac824a026dea936a065f211a106e0ee99b80b38f34e4d378f702658908f512ca6738aca17e9a2ac5a03523af23b675b12b832ff083d00

C:\Users\Admin\AppData\Local\Temp\tMlBTtgjkhLD.bat

MD5 b890c077e5b4301b10744ba33af502cb
SHA1 3f84d4192d444dd6418404c4cfadec34e1c1a2f7
SHA256 e5a4b4f24a89aba99bb54098f15403a3c75de3b2b0b3e7c45332913bb5c8a587
SHA512 687b3cb3ada0fed3a8d75340023759a5366e58fb4700fdf46090c9e13c86ef9fa3b02deb77ed7a839c2c354bc92b4e5a28b25422b325258c4e5958e418996138

C:\Users\Admin\AppData\Local\Temp\DAWI7lul1NFB.bat

MD5 435e0f377967d11e89e9049cd0666730
SHA1 7420dc9f7a75ce1861ea5bd6c90034ecc7b1a4cd
SHA256 9e51a9180e0f13e9cfa4b71eb44bebca7dded45350ae3805a101576ee4bac6bd
SHA512 473f226f24b5318678e45dbb923219ad7961a14bd6759e13721554a00e86ad042aa61b7e49d08061be7c33914d269f096fd53208bbb54cc13c21df705890b451

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 d2e2d87de1d932a18fe8c33b41a75ae1
SHA1 881ae4122e642ff2933401126b5f65b68374e198
SHA256 af1291deed57ee0d9e7d05366e3aae8d9fb863f08c99137a2afdf13beaf933d6
SHA512 6c87fd45232631c4dcbf8611540925de00c228acef560cb783a67ec85c8a18a29d9b41e451c03dfa01e382cd74af110575d9a0177b7d64f7ffffd33f411a4777

C:\Users\Admin\AppData\Local\Temp\dYyTCmFxvhPX.bat

MD5 5934bc1608e0b13e070660233ba965aa
SHA1 03feb71ecb4ee35e3832dc9f48c92ba8c7ae5015
SHA256 a7f404466f462699a0578a653feec7482aa6b54e720e14cb00a59e99055a4c63
SHA512 68cda232eb3953bca33a947945dd97c709a615c74acfddb3ae3d35890c43b9386035a8e8d7a5167fa36d778a7989522ac21dd8e78fd42f51d70498e9d788d259

C:\Users\Admin\AppData\Local\Temp\lo8ZiCNxyyKt.bat

MD5 affe84edb93c0a346235d96e160b5b6b
SHA1 3c831f2a04505b1a966969c261d6fa5f55fb8b3b
SHA256 9f3f6795d1f86299f536a8a69b3311871b4ce066b2aa327c1d79785db6854bca
SHA512 c33af6a2d450d8d9cb66cfb2037bb0b9c074fc46f41f2e784a00958db13a55bbb8d9d5d64501106dd92e550b54307de30a4b1a78245cf57a38470695be6efe4a

C:\Users\Admin\AppData\Local\Temp\BCakoDi9sIUF.bat

MD5 6b987d3827913e7e98667565e7b0c8a7
SHA1 34bbfaf7b99b53aabcc27f32927f0c1992b6ed8d
SHA256 c552e12ae91a1a567abc5669eed4a9f4ae9bf85700acdc5006f9cd4516ea7fe0
SHA512 b0fff192d9d0f1ee4d9bd295957a893385fac6c1f91e0cb51d5225d60f8f11a3fcbb26ca64c905d53a76295c8621e75cffb1b455e150b77fbbf95c1a21e5d926

C:\Users\Admin\AppData\Local\Temp\V0LrS5wB9xNE.bat

MD5 3be7156ec15e4e16861ac138586768e6
SHA1 304e20c2fc28a306a010d94822a55196295ca456
SHA256 95b9ba920efe07c595ecb25527243a4c5a9b766d7c03e6b6e8546fb801e57a86
SHA512 8fd0f926762c2d87aafc365b4e3a16168d4e72b660448e985620b0a9020c2210e6e5a6aa3795fc081295f5704cb9ab4ddb1873927a94fce83b6b474eb6edd357