Analysis Overview
SHA256
90a58064c6df293fc564fa5b616c737f6fd31f6288433da2030ec56d6dc46962
Threat Level: Known bad
The file Loader.exe was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar family
Quasar payload
Checks computer location settings
Adds Run key to start application
Looks up external IP address via web service
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-27 21:51
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 21:51
Reported
2024-06-27 22:09
Platform
win10v2004-20240508-en
Max time kernel
1043s
Max time network
1047s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Anti-Malware Disable Startup = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Loader.exe\"" | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGci9aisTcue.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4500 -ip 4500
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1692
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FBobXFTs1JH3.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1040 -ip 1040
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1644
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YvaM3dzYIf8g.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4428 -ip 4428
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 2196
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NW9vsXkGJSbf.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3936 -ip 3936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 2196
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TX0FiJRUuTMF.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3200 -ip 3200
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 1604
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sriuu7QuOuq1.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4312 -ip 4312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oT8nYospzh4b.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4584 -ip 4584
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1712
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LRH25xKBWgUL.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4200 -ip 4200
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiGrO8cV5m6a.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2916 -ip 2916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1708
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x6i2T9ygz6Gx.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2372 -ip 2372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 2252
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qrEswbB7h5AM.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3216 -ip 3216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 1084
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eR1I1nIPHH07.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1808 -ip 1808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QSvNRaTrjbHO.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3180 -ip 3180
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQ5cykvDGbg8.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2136 -ip 2136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 2248
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dv19qaJGWANb.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2304 -ip 2304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1720
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQxgiRiKmi44.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3744 -ip 3744
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYK7v4vdaIsR.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1656 -ip 1656
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGPbZqG72WwD.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2748 -ip 2748
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WxgNQsRHxwJ5.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2812 -ip 2812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 2232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEfCj2jbV2vK.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4572 -ip 4572
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1096
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uSiFwlpTA2Zu.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4116 -ip 4116
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1668
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1AnkaXAxbGdg.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 436 -ip 436
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSZJfScaf9xq.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3492 -ip 3492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\41NikejsFLmb.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4476 -ip 4476
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1720
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FlGxBAEgCNXH.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 2252
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PxVGb8BEKZUx.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1276 -ip 1276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMlBTtgjkhLD.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2360 -ip 2360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 2236
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAWI7lul1NFB.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4052 -ip 4052
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 1096
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYyTCmFxvhPX.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3744 -ip 3744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 2248
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lo8ZiCNxyyKt.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5024 -ip 5024
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCakoDi9sIUF.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2740 -ip 2740
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V0LrS5wB9xNE.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4856 -ip 4856
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 1720
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EW576fVYvKla.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4900 -ip 4900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 2248
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hPh7xsSpWcor.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1664 -ip 1664
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1096
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jbo43i0uk5Io.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3236 -ip 3236
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uci9TVBMDPZ5.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juViZQdzHJsF.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 732 -ip 732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d0GfCYWg4GIp.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1448 -ip 1448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 1712
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P5tGVY2txUFf.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3140 -ip 3140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCTyvR5tFFM9.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 2200
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POau1GezUip6.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1348 -ip 1348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 2248
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiIZD4ePx8Kt.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2276 -ip 2276
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gJuj50v138qY.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4216 -ip 4216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 2232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUDwO6Kmmndb.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3476 -ip 3476
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 2232
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RV61otUEE7us.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1632 -ip 1632
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HbYLucAld9Xd.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3300 -ip 3300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 2248
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IH1NzuBc2mDb.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3180 -ip 3180
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Loader.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AscWqqSE8lkG.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3684 -ip 3684
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/4500-0-0x000000007454E000-0x000000007454F000-memory.dmp
memory/4500-1-0x0000000000790000-0x00000000007FC000-memory.dmp
memory/4500-2-0x0000000005870000-0x0000000005E14000-memory.dmp
memory/4500-3-0x00000000052C0000-0x0000000005352000-memory.dmp
memory/4500-4-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/4500-5-0x0000000005200000-0x0000000005266000-memory.dmp
memory/4500-6-0x0000000006020000-0x0000000006032000-memory.dmp
memory/4500-7-0x000000007454E000-0x000000007454F000-memory.dmp
memory/4500-8-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/4500-10-0x0000000006B00000-0x0000000006B0A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iGci9aisTcue.bat
| MD5 | 8c5e77ed346ede7e815d224230f491b2 |
| SHA1 | e415f36a25086d606b2db13cacce713d80adf08e |
| SHA256 | cc969e5e9463d8da2d5658496a8109053838a79a8f13a285382d266f6d323860 |
| SHA512 | 8baa30bfc0dd639a6121c3dca2c048a1d9ee6e38deda2ab5fa7201486381717ab39e0ec78d7a33c466a3f1c8902b8561c9ae9d3bf4c3cb6cb86266c242688d71 |
memory/4500-15-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/1040-16-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/1040-17-0x0000000074540000-0x0000000074CF0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | a2abaa4d7caed3d27b81c7924cf3e882 |
| SHA1 | d40dec701c0504978fb9d47e52835a4fce464cb3 |
| SHA256 | a6dca8f61cd94de1107beca1d417446a4bf677521c1758f96198c4b101f1ac04 |
| SHA512 | c2d5f8f2c814db548b9558ed884791cbcebf5d2cf25595f185d639297abdd2a95a396df51c19e160b148f3c83d65f51a7c1a768c4d207697727875146711a3b4 |
C:\Users\Admin\AppData\Local\Temp\FBobXFTs1JH3.bat
| MD5 | c78279bf5dbd62c10cf195dc200215c8 |
| SHA1 | f99bb367bbe129fda5148cb597391007350cd8b7 |
| SHA256 | 7515c21dd6a40dd3e4209bf03e36d4a6fa0775e8ad957d88df33db5d7f165303 |
| SHA512 | 810e392d2e872d9d374b7d58c2fd6c2e8d1843243c95672c9b0739514d2bfd2656504d8d90d08379dc58e6766233bee6a5a2f2d9ccfb0b7c48d7068dd29589d6 |
memory/1040-24-0x0000000074540000-0x0000000074CF0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | 20f22f5fed41ef7d3afd4665e73a177d |
| SHA1 | 3e53aab417f7b42503b307290920fe3787ad7aa3 |
| SHA256 | 94af0b07a82fe9d61ada860b7ac59f81da0f057e38c2e6d88749fc734dc10e20 |
| SHA512 | 04e9eff0d97542a551508739f04779950d45a0166d94f3ee38ae3556e44fe930e34ca5a27f52417615fce231d1f365e27f74ab845d1475f02afaf144c128beda |
C:\Users\Admin\AppData\Local\Temp\YvaM3dzYIf8g.bat
| MD5 | 1cf8a63dc1fab983cf71af5471d228d4 |
| SHA1 | db105425a6beee9ce6980c3de7612606ef99e22b |
| SHA256 | a8302b0b9bab85aaa006a3ad8021870f0d38b147e46e32271ae61d0164197aff |
| SHA512 | 837c8f305be1d758e544dd7f10f3acc8fbabeac05390ffaa7549fcf952e8b33f4f469e75f2e7ca188b71ba3038bf3d11d647131be0382c599cd269748107a5b2 |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | 110165161415ffa6aa2c013e371cefd4 |
| SHA1 | 0b96b1d3fe3faab58dc9a367b54a1878f41c1b10 |
| SHA256 | c81933d712a1bf1c424b247aa107a76b11f7019e3c47e554172190a62330520c |
| SHA512 | a80ec6b53594dfa58428caa81f70f413cda93e2a0bcc508e7f4c8d9220735ad886d193c0a75be8613d2a80d6cd27f6575b98b48b41bb5524c51659b30630dfa1 |
C:\Users\Admin\AppData\Local\Temp\NW9vsXkGJSbf.bat
| MD5 | 338e8c832291b085b57012f29fb1b38f |
| SHA1 | 8256e59a9be02da925219fd59c3eac51e890d077 |
| SHA256 | 390632c0e731d9699dd3ac3fce2254727a57cd68ad840c29cd4d0e2599f8f829 |
| SHA512 | fb22687db035f65e65be2b20dbaa126cc49a4557e84f14f5da73e14e16dbbfc51f0eb44a6e47d81c6235b9b44c201a07548e2025ba3c1d70aa5bd0b4ab9aeacf |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | 747bbb4766d06fdd2c491e29455fe316 |
| SHA1 | a176ef5ae9bda4c7715ec5ee44b32eb777bb6a99 |
| SHA256 | 157b8cd64e721b4faae0a2057b61af19dea121e7ce06d32f7ea7094ffee07c75 |
| SHA512 | f6c33a28ea1ee8af49d572264c334ae2ae0d103c9aefb8c9d70bceb132529c7c31d9d8e0267bcaeedc0c4433d9a4568852fc768d1fde753f76333b7b147b83d7 |
C:\Users\Admin\AppData\Local\Temp\TX0FiJRUuTMF.bat
| MD5 | cf9dd02a9b5660bf1d4025a74d524e91 |
| SHA1 | 8e3bb7cf64901ac233dde4529886159e9d8d7899 |
| SHA256 | 4cc22e501591107592b1f1cc9ae311ec85ebedad11880614842d220e6dd1a61b |
| SHA512 | 5b27a5309738b4f5af150acaeac507c47abde557cc0d1a33341d9b949253e75c7559dc49f490861f8d5b42d3ac9b7a6c62618ab69aa1675e210aa3fad15948ba |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | 3b647d06ee5b8ecb7ccdb656c78f1be3 |
| SHA1 | ea7a7c4198231e2edb79106cd1bbb1df10b3e32c |
| SHA256 | b3c7e42a2668263b679d3bcd9b96d0907232778f308469ce288309d3db2bdfdb |
| SHA512 | 5db4fa0c4da36b2c2ae25c38c539f65f558bdc43b9368461b5485454f34b7c6f56fa260933fe89d8f35d9297a0859ab091aa6fea53e8b805871479adaeff9f84 |
C:\Users\Admin\AppData\Local\Temp\sriuu7QuOuq1.bat
| MD5 | ded3417c5b9a2d18d22fc9c2b81220da |
| SHA1 | 0274d3f55955c43a31e9850bffa7685283d533e2 |
| SHA256 | b6ae77733abca4a06c681bdc5b346c1bcc7dd6eda2b42dd1fb85dddfd7d5bf8f |
| SHA512 | 49dcb740da82a3c03a3e49977674ca3259854360b968d2cad6753c9efc0fa1b073a36566e295be60cb6ec11748d23e52e97ef1046d49f569afab5f0e8c5536ac |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | 3393e4f84bf10eb5686087b3e2ef2415 |
| SHA1 | f3da4b873a57e4632ad0e60f5a3a0bc2bb990207 |
| SHA256 | bf8a8a9b0f6681f778d0e94d3c8640075a98f26ffcfd9b30efb2730b4169aa03 |
| SHA512 | b5a961af676bd908a730067497b5a74e3d17a558bc69ea1be1899199a997036674239fb641505895fe76c37229742f60eff3ee0416cd67f98ddd0253a98fb831 |
C:\Users\Admin\AppData\Local\Temp\oT8nYospzh4b.bat
| MD5 | 72c02f51a442f6abaf1acdf57d91bdee |
| SHA1 | c9752c727a96b91109cc3d17176d6597e6b6f086 |
| SHA256 | fd6993fde539872c0a35fdf547445260565def8391e29c3e698418fa17254004 |
| SHA512 | 1db391dc0a1a52609ed80a4ec5cec539f13c1dfe8ecfd5718baa103e8f54e1340e82d5093005436fce764a992dae24c7b02862d50a4b80fe4ae2aa2c8e3b90d5 |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | 233f920d0319012b6bcbcc248f424c1a |
| SHA1 | 4fecca333360b13db2a3c2c6aaf40aac121ac3ff |
| SHA256 | a16a28e27e20554971fac5ce4cc1de675d0d2a5894d7b16de2731e89d749666f |
| SHA512 | 99a341e3122406246d0aebeb3db5377d215ff0e18562d343f1cfbec7e58d4befa80b3e971c301f665178dc5a87f32894c186df69c065441baa169fefd7da7106 |
C:\Users\Admin\AppData\Local\Temp\LRH25xKBWgUL.bat
| MD5 | 90639161a94211d95c5977e8deef8b94 |
| SHA1 | 0b87ed8b1daff00a3ce4abb9d0878ac9b6f2a826 |
| SHA256 | 50c2d8aadf36eaf6416a306b9530b55eb0b1bd5f1498c19081b7d7a837033fdd |
| SHA512 | 0d27077eb833b5461067e83bed8d79276aaa16b50f83c3b0c53fd1242e4559a6e30f06e64c87727662833793ccda61867c68d1a6bb3e402fe7d2f2d04b228e09 |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\WiGrO8cV5m6a.bat
| MD5 | aa05e067a8c6c15b11284704f70b39cb |
| SHA1 | 1061d56d7b6c463727dc6e403028e77b9eef2222 |
| SHA256 | 3458e31d67b6f1d689e4fb2cd47d3171e685bcda738b200c69cb3c45dd6d3049 |
| SHA512 | a6dcd4d9e21921560ae74841ebca802407423bf5fcd068374f4feb26911d927b3c8edee2a11cf702864ed03006d4e6ad097f1c1738606249215d2977dff62662 |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | 63cd273e4a53bea1e98ec10b9674d10f |
| SHA1 | e08856f3164c373a245f27275b9966b261a40236 |
| SHA256 | be7b738b671c63209caa1e383751f5b7e4aa9587c729e9cee2d1368b7b66926c |
| SHA512 | fa03f14e34d597264eb63640c7b61c09be93fa687706f00e505acded125c3511fc592fa33a938580c76489da9bec83b385a1782200d49f02bb80341cb83695bc |
C:\Users\Admin\AppData\Local\Temp\x6i2T9ygz6Gx.bat
| MD5 | 8fc640d3e1d76d4b48d975b9b5ebc6c9 |
| SHA1 | b2d3b7a7002ad3d8af66197607112ebe18e2079f |
| SHA256 | 56e03909b36dcedaabb57576f3c024ac58382eeea1663f5429656055e2c54452 |
| SHA512 | 9e205f9c77f963fdd1c47ec1aece1d213d70b185bd1612cde5ba9df5a2d201dbf0d855cee41cc58be2db30b31c76b0fbb30747a9d19c6ed5acae79233c423f2d |
C:\Users\Admin\AppData\Local\Temp\qrEswbB7h5AM.bat
| MD5 | b6edf31273a503849a92e89439b5f52a |
| SHA1 | 6e858a71d020349712aecf8814cea24f305889cc |
| SHA256 | a909cc7875c860634536204525304c3246132d80e024b979c075b5fd39317c74 |
| SHA512 | 3ef257aca2c0575c09e3083fd1fe0004b43e4ab5d47c78b64581e699299ced0b2aa08b49607dfc3361851bc11fbc6338656df47bfe3ac8e23ca33c303a714f9a |
C:\Users\Admin\AppData\Local\Temp\eR1I1nIPHH07.bat
| MD5 | 5c194ac55b90c7e5c220874c32c5787f |
| SHA1 | aa4c2286a1ade97fadf203d56420183b0f81b8dd |
| SHA256 | 49cfdd1719dfe0cc5092ac107f23adb7ffca416cb9945d04d5ed7bfd7e0c8b99 |
| SHA512 | 95ec0a250bf352fec3e4e3fe2d5f161627f00b3d994d7a4751368bba256f08c98eead0215fbaa832416f7118178c108f5f48daa023ac6a08eb4889f5d1207630 |
C:\Users\Admin\AppData\Local\Temp\QSvNRaTrjbHO.bat
| MD5 | 3e83cdc332f9e55ef971d531120499a1 |
| SHA1 | ff6c83b06348164c48f92d5513158fda986e5c3e |
| SHA256 | adf9e11b3501964138ea5f6b3f36433924dcb61cce5d6b9eb3ebc161e3e5b247 |
| SHA512 | 5c8b8e6995746547ce5526c9b1fc37a957df0684296e311a2914c446ce1820a635eeaa45808c94c1c848f466d481e3c5ce2ec010ebdfe9995f0e9ed6b23a0de4 |
C:\Users\Admin\AppData\Local\Temp\xQ5cykvDGbg8.bat
| MD5 | e371a50512daab36760f1994e4a843e5 |
| SHA1 | 1069f9dd79f0502de3a4789489ce467d62ce3f4e |
| SHA256 | 0b5f04100ea968b79f327a886b6d59fb3834c1758d712067dc5e9c6499a1417b |
| SHA512 | 5e112edfb383cbee17c302995cbc14496748b9e628e2514b60c919c2cdb551ae65de3f4a3882eeeafaace9c8b09079760c86a2537e9a66c2e81ab9d10137f3cf |
C:\Users\Admin\AppData\Local\Temp\dv19qaJGWANb.bat
| MD5 | f28157b05bc2089d4ef3e68ef1cb4dce |
| SHA1 | cbbc58da44f592001cdc72bbec0c86d7f6e961c1 |
| SHA256 | 83c7420265cb80ffba5f32d85c862d499d2fba982b2b2a17c49e75a456989323 |
| SHA512 | d44351d9c514ddc0c82588f38991b0989d4a2a4e553161b40a4dd2020448d101605f45aacb04bb89415fccf41eba8c006c305a4e0a3f74d9b358f46ccade52c9 |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | 1e74f3e2a666c98f91ac38c8b732f97e |
| SHA1 | 81c1e1854a9e09e319acd695aa4dd0157c029d5a |
| SHA256 | 3ca82d2e8c2fce2571aba8d935cb1e09f968f8e46c8eeadd428f46f9c0f0fcd1 |
| SHA512 | 110b1420ebfa42816695ceaa32d2751558be937dafc1be03747f5765b3c432d98294bd34cfc5e285146ffc6f3228e10a365e3af249581662c8b7389f245717d9 |
C:\Users\Admin\AppData\Local\Temp\JQxgiRiKmi44.bat
| MD5 | 6c70e6fda494ebaaaf15d60a9f2dfb21 |
| SHA1 | d4ee40e859abcfbe1d66fc711be4a13be9c75f1f |
| SHA256 | fbb5860fce7260df908874ea57777418a6557a622bb02a36775467e25b4f5ac2 |
| SHA512 | 80349fe1c14dadc0e0197072f8f98f9284a31cd928c29d8db8888b8586b32900ecfcfaff30bab8b000d5121862643d4d7437767cced04947f6a281f35f1fc1dd |
C:\Users\Admin\AppData\Local\Temp\KYK7v4vdaIsR.bat
| MD5 | 733eae6db4af4aa0d9b65730f1dfaed0 |
| SHA1 | c3fe25a621ffaf5a7724b3f5c11f3b1a468997ef |
| SHA256 | 03ccb66272c1d1e3bd634f8012541b9b0ed6b992b6e42ef2b77fc3b6aaf971b8 |
| SHA512 | 605b95c207cfa757d9a596c2e292d3c42e241be6c6133d2af84d903c475fae85d84cfa8276f962e39b9f18e663316e4d400c0d78e85f31e02f623265bcb328c6 |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | 1fb2b72d7ed0dff58d26f4c59281c611 |
| SHA1 | 61acc118b16c1458cbd3193e39cd7cd080b56ea1 |
| SHA256 | 42471dba37b34bdcad79cec3b77217a95f33e10d0cbea627b613ffcce9fad40d |
| SHA512 | bd68efa72023828fee441a53e09fedfae01c049bc6a55343532f2706650004f6dd17b74d2216ddd7ad9c40aeb17e0284aee562e0fd5f46e7d6975815efd8e3a3 |
C:\Users\Admin\AppData\Local\Temp\RGPbZqG72WwD.bat
| MD5 | 4e8e258feee004e2452a862274c46877 |
| SHA1 | 5fd1830be73668fe061f6a5f40c8ff4ef8f13cf7 |
| SHA256 | 5fe797a37d20acbcf6ce75371b0032a0b1daeaeda29090eed8e94def5ca7eb89 |
| SHA512 | e2d713d6c63dfed3605411611196dc5cf74e306fc1bf310357781cced0a7bd3e9b1e7d96f0fb54ba16af98f7da5332d74c7c37659f283bc5003bd28021cad7fe |
C:\Users\Admin\AppData\Local\Temp\WxgNQsRHxwJ5.bat
| MD5 | 26c01633e6b6cecc93380fcfdf9da8e8 |
| SHA1 | 71166af10ea8d0b317cade8aaa3098acb9dcdcab |
| SHA256 | 4b9009ee35817e940dfee6a3f022b581d9fb2d43c0392aae62915849f659905f |
| SHA512 | 2773b25aae864158e34a44a87feaf5a88592458f7b8b2275679e4c3ca86bc5a00c85cf176e3404128aa1840571b628d834104e89bcc62edddaa582f8e7d59fcd |
C:\Users\Admin\AppData\Local\Temp\gEfCj2jbV2vK.bat
| MD5 | ff43018e1549481d8a50a7c9d338c005 |
| SHA1 | b310161c7e0c74bcb5b617434a18e9b6472cad73 |
| SHA256 | c50952f51a718aedd5932b16c54901f93593e9e375d4d167ef169c9324f3adab |
| SHA512 | 3bf2467bd632f6bf5f0e93c9c260a10210e36f806643db1493470d0cb7f02d06c88968f11a43450c9689fe283d29abf09f94c0bdeb5745612e00baeda4daacc8 |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | 6bb586dee0262ca4bceba7498a34700f |
| SHA1 | 675682d0259a4441d8d9ee8435db8dbfafa1ef31 |
| SHA256 | 8de3d108d1e99cf0147fbd3095a6761fce82c4da8315c85791fbf32a520ae77e |
| SHA512 | 0ace6d9bac51408da3a5f32526a0a8dd3d4e14b4aba4e57b230832a90ed5753aa8baf1fc5fa433dbf231f149bf1b0eeaffed9235eccdd34f2f412a8ec751d312 |
C:\Users\Admin\AppData\Local\Temp\uSiFwlpTA2Zu.bat
| MD5 | 9fee9804c01fe88ad52bbd401441d8d0 |
| SHA1 | cd6b6fae638255c003c405bff5a7bfba00933349 |
| SHA256 | eafbbfe7cde77651bea3e22c93529a6897c97ccbeb317247abbc42c187215ee1 |
| SHA512 | c65c19d5b4d471c651179b629c4455e1dabc1f8330550ffd8c9154b8d6d8b9b84ca45b0847b16131d9c2ac8fcbf7ccdbb5f29391e1189482cd691fb81e2a1556 |
C:\Users\Admin\AppData\Local\Temp\1AnkaXAxbGdg.bat
| MD5 | b1c216147c028f355c8f54da8a240439 |
| SHA1 | 8c4fbb896d09b5d677994173e0a8c9bfaca0a6bb |
| SHA256 | f69e6f46e412a66bfc249a1be3e9c97397fb5ab3b101a45124738fdb4870b328 |
| SHA512 | cee566e48820dcbd09e1e6582a19c44d7c29dc4b60d62e29e132dcdcd4e3497fb9e8a2ea3edf7aa1490bf448b97b969b8fd17d5975e97950377815ebb3647dfd |
C:\Users\Admin\AppData\Local\Temp\GSZJfScaf9xq.bat
| MD5 | 269615fc77292bd2771bb3ced741d92c |
| SHA1 | a9bb30649da8e3c929e9a742812ef1e10a1663b1 |
| SHA256 | ce0f1ee3a90251faadf4a9148b1b3a6735ccdabda0e54a98f7e311cc48887576 |
| SHA512 | 80065040cfedf8d9da398be0a5f3bfce9ee6f1fe667b9cdbb1ba461177887dee4adfd38f94f0d14824e04ae47f157820f37fb83bc44126675653cef4285c306e |
C:\Users\Admin\AppData\Local\Temp\41NikejsFLmb.bat
| MD5 | 3f7aaeb27319ede2e954381c0dbb35d2 |
| SHA1 | 7875aabc096bb3eec685b5990aea82a676a958eb |
| SHA256 | 7d90e954df8129ca568830dd8c358cb4b49e7c74c42aecd5151ca2c393dd9eb1 |
| SHA512 | 479023f3a14efecfadb039a0a72c31440686319af26f367c4ce24e83bce9b654b213f667f30723334a0f8748ac10266d895d99e789e5627dc81cb3b0f8910079 |
C:\Users\Admin\AppData\Local\Temp\FlGxBAEgCNXH.bat
| MD5 | 1e88989430cd42f44a05d545b8917ecd |
| SHA1 | 7cc0826df1a4ef1047f54cfdaa6baf74792a8e89 |
| SHA256 | 83bf3ab9b886c2df4cd47859e6d396a33ffa54e676219f4fd389000b67a1a8a2 |
| SHA512 | 6ac428c7d1d1cfb67fb5d3b09ca9464d6790894ea784b23d74847c792b02bf847e96a4ab5987aadcc493c6d20b643c4e902e64805f20eabca7b1c6ec589f120c |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | 4a65391798a6f18d2c1745bc0dd22eef |
| SHA1 | 7f0e3a4b1bd5e3de5dbafdec03e5304d02a6bd94 |
| SHA256 | e23a4a129432c57e7cf1b2aaa3421f6b36afd881fbbb028b0d0994a1eb68466e |
| SHA512 | 9c2caeb923ea953510d6c7aa072d28c9516d808e215167625148d15c35733b98afac03f40d2515556076d226b258d00ca7ab199850f159af786243a671489711 |
C:\Users\Admin\AppData\Local\Temp\PxVGb8BEKZUx.bat
| MD5 | f43e3d3eebb0947dfa907ead3225fc33 |
| SHA1 | bb18800c36416199833fccf964230ce0e0afe9fe |
| SHA256 | 87cb8f92cf84be97daf1bebdc228e12f33e9d7986c52fe40ab7665a964ff44e5 |
| SHA512 | 7c0d2198e291321908bac824a026dea936a065f211a106e0ee99b80b38f34e4d378f702658908f512ca6738aca17e9a2ac5a03523af23b675b12b832ff083d00 |
C:\Users\Admin\AppData\Local\Temp\tMlBTtgjkhLD.bat
| MD5 | b890c077e5b4301b10744ba33af502cb |
| SHA1 | 3f84d4192d444dd6418404c4cfadec34e1c1a2f7 |
| SHA256 | e5a4b4f24a89aba99bb54098f15403a3c75de3b2b0b3e7c45332913bb5c8a587 |
| SHA512 | 687b3cb3ada0fed3a8d75340023759a5366e58fb4700fdf46090c9e13c86ef9fa3b02deb77ed7a839c2c354bc92b4e5a28b25422b325258c4e5958e418996138 |
C:\Users\Admin\AppData\Local\Temp\DAWI7lul1NFB.bat
| MD5 | 435e0f377967d11e89e9049cd0666730 |
| SHA1 | 7420dc9f7a75ce1861ea5bd6c90034ecc7b1a4cd |
| SHA256 | 9e51a9180e0f13e9cfa4b71eb44bebca7dded45350ae3805a101576ee4bac6bd |
| SHA512 | 473f226f24b5318678e45dbb923219ad7961a14bd6759e13721554a00e86ad042aa61b7e49d08061be7c33914d269f096fd53208bbb54cc13c21df705890b451 |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | d2e2d87de1d932a18fe8c33b41a75ae1 |
| SHA1 | 881ae4122e642ff2933401126b5f65b68374e198 |
| SHA256 | af1291deed57ee0d9e7d05366e3aae8d9fb863f08c99137a2afdf13beaf933d6 |
| SHA512 | 6c87fd45232631c4dcbf8611540925de00c228acef560cb783a67ec85c8a18a29d9b41e451c03dfa01e382cd74af110575d9a0177b7d64f7ffffd33f411a4777 |
C:\Users\Admin\AppData\Local\Temp\dYyTCmFxvhPX.bat
| MD5 | 5934bc1608e0b13e070660233ba965aa |
| SHA1 | 03feb71ecb4ee35e3832dc9f48c92ba8c7ae5015 |
| SHA256 | a7f404466f462699a0578a653feec7482aa6b54e720e14cb00a59e99055a4c63 |
| SHA512 | 68cda232eb3953bca33a947945dd97c709a615c74acfddb3ae3d35890c43b9386035a8e8d7a5167fa36d778a7989522ac21dd8e78fd42f51d70498e9d788d259 |
C:\Users\Admin\AppData\Local\Temp\lo8ZiCNxyyKt.bat
| MD5 | affe84edb93c0a346235d96e160b5b6b |
| SHA1 | 3c831f2a04505b1a966969c261d6fa5f55fb8b3b |
| SHA256 | 9f3f6795d1f86299f536a8a69b3311871b4ce066b2aa327c1d79785db6854bca |
| SHA512 | c33af6a2d450d8d9cb66cfb2037bb0b9c074fc46f41f2e784a00958db13a55bbb8d9d5d64501106dd92e550b54307de30a4b1a78245cf57a38470695be6efe4a |
C:\Users\Admin\AppData\Local\Temp\BCakoDi9sIUF.bat
| MD5 | 6b987d3827913e7e98667565e7b0c8a7 |
| SHA1 | 34bbfaf7b99b53aabcc27f32927f0c1992b6ed8d |
| SHA256 | c552e12ae91a1a567abc5669eed4a9f4ae9bf85700acdc5006f9cd4516ea7fe0 |
| SHA512 | b0fff192d9d0f1ee4d9bd295957a893385fac6c1f91e0cb51d5225d60f8f11a3fcbb26ca64c905d53a76295c8621e75cffb1b455e150b77fbbf95c1a21e5d926 |
C:\Users\Admin\AppData\Local\Temp\V0LrS5wB9xNE.bat
| MD5 | 3be7156ec15e4e16861ac138586768e6 |
| SHA1 | 304e20c2fc28a306a010d94822a55196295ca456 |
| SHA256 | 95b9ba920efe07c595ecb25527243a4c5a9b766d7c03e6b6e8546fb801e57a86 |
| SHA512 | 8fd0f926762c2d87aafc365b4e3a16168d4e72b660448e985620b0a9020c2210e6e5a6aa3795fc081295f5704cb9ab4ddb1873927a94fce83b6b474eb6edd357 |