Analysis
-
max time kernel
136s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2023 10:53
Static task
static1
Behavioral task
behavioral1
Sample
007273899.exe
Resource
win7-20230220-en
General
-
Target
007273899.exe
-
Size
391KB
-
MD5
964a8c4317b2449ce3b1ba42806e00ff
-
SHA1
1bc9d7cc8dff6a6d3e9c46ff1c9966521e012b38
-
SHA256
12acc28c683190195fccfea230f47491c084d01f5d5fa975ba82135e1d0c8fa7
-
SHA512
73ab80afdee2a9d753d7a30bc8da25f28310451fdc7f4f510a7d32b9d999825205604f04e665290e17cd146892635750a16e3f6f7ae45cd509de3a0996569c45
-
SSDEEP
12288:NozV+S8l6vJGRaIUyVVtERhJhY0YO60nz:Na+S3MMDJXeQz
Malware Config
Extracted
blacknet
v3.6.0 Public
HacKed
http://bankslip.info/dadsroots/
BN[ZrDroiBx-5245469]
-
antivm
false
-
elevate_uac
false
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
a5b002eacf54590ec8401ff6d3f920ee
-
startup
false
-
usb_spread
false
Signatures
-
BlackNET payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1032-137-0x0000000000400000-0x000000000041C000-memory.dmp family_blacknet -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
007273899.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation 007273899.exe -
Executes dropped EXE 64 IoCs
Processes:
cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exepid Process 3016 cmd.exe 1692 cmd.exe 2920 cmd.exe 4456 cmd.exe 3256 cmd.exe 3572 cmd.exe 208 cmd.exe 680 cmd.exe 2192 cmd.exe 1864 cmd.exe 4368 cmd.exe 1748 cmd.exe 3624 cmd.exe 3228 cmd.exe 1664 cmd.exe 1620 cmd.exe 3004 cmd.exe 2872 cmd.exe 3968 cmd.exe 3696 cmd.exe 4512 cmd.exe 4480 cmd.exe 3372 cmd.exe 2876 cmd.exe 4580 cmd.exe 2316 cmd.exe 4724 cmd.exe 2924 cmd.exe 1292 cmd.exe 3584 cmd.exe 3916 cmd.exe 3548 cmd.exe 4388 cmd.exe 4180 cmd.exe 2852 cmd.exe 1300 cmd.exe 3576 cmd.exe 2500 cmd.exe 1996 cmd.exe 4780 cmd.exe 4040 cmd.exe 2424 cmd.exe 1420 cmd.exe 3212 cmd.exe 1756 cmd.exe 3596 cmd.exe 5128 cmd.exe 5180 cmd.exe 5200 cmd.exe 5244 cmd.exe 5268 cmd.exe 5348 cmd.exe 5376 cmd.exe 5396 cmd.exe 5440 cmd.exe 5516 cmd.exe 5536 cmd.exe 5592 cmd.exe 5600 cmd.exe 5680 cmd.exe 5696 cmd.exe 5728 cmd.exe 5764 cmd.exe 5784 cmd.exe -
Suspicious use of SetThreadContext 64 IoCs
Processes:
007273899.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 4204 set thread context of 1032 4204 007273899.exe 83 PID 3016 set thread context of 2920 3016 cmd.exe 86 PID 1692 set thread context of 3256 1692 cmd.exe 88 PID 4456 set thread context of 208 4456 cmd.exe 90 PID 3572 set thread context of 2192 3572 cmd.exe 92 PID 680 set thread context of 4368 680 cmd.exe 94 PID 1864 set thread context of 3624 1864 cmd.exe 96 PID 1748 set thread context of 1664 1748 cmd.exe 98 PID 3228 set thread context of 3004 3228 cmd.exe 100 PID 1620 set thread context of 3968 1620 cmd.exe 107 PID 2872 set thread context of 4512 2872 cmd.exe 109 PID 3696 set thread context of 3372 3696 cmd.exe 113 PID 4480 set thread context of 4580 4480 cmd.exe 115 PID 2876 set thread context of 4724 2876 cmd.exe 117 PID 2316 set thread context of 1292 2316 cmd.exe 119 PID 2924 set thread context of 3916 2924 cmd.exe 121 PID 3584 set thread context of 4388 3584 cmd.exe 123 PID 3548 set thread context of 2852 3548 cmd.exe 125 PID 4180 set thread context of 3576 4180 cmd.exe 127 PID 1300 set thread context of 1996 1300 cmd.exe 129 PID 2500 set thread context of 4040 2500 cmd.exe 131 PID 4780 set thread context of 1420 4780 cmd.exe 133 PID 2424 set thread context of 1756 2424 cmd.exe 135 PID 3212 set thread context of 5180 3212 cmd.exe 138 PID 3596 set thread context of 5244 3596 cmd.exe 140 PID 5128 set thread context of 5376 5128 cmd.exe 143 PID 5200 set thread context of 5516 5200 cmd.exe 146 PID 5268 set thread context of 5592 5268 cmd.exe 148 PID 5348 set thread context of 5696 5348 cmd.exe 151 PID 5396 set thread context of 5764 5396 cmd.exe 153 PID 5440 set thread context of 5860 5440 cmd.exe 156 PID 5536 set thread context of 5984 5536 cmd.exe 158 PID 5600 set thread context of 6052 5600 cmd.exe 160 PID 5680 set thread context of 6136 5680 cmd.exe 162 PID 5728 set thread context of 3152 5728 cmd.exe 165 PID 5784 set thread context of 5388 5784 cmd.exe 168 PID 5792 set thread context of 5448 5792 cmd.exe 169 PID 5888 set thread context of 4784 5888 cmd.exe 172 PID 6000 set thread context of 6124 6000 cmd.exe 174 PID 6064 set thread context of 4168 6064 cmd.exe 176 PID 4904 set thread context of 4500 4904 cmd.exe 178 PID 5052 set thread context of 4464 5052 cmd.exe 179 PID 5320 set thread context of 6200 5320 cmd.exe 183 PID 3928 set thread context of 6340 3928 cmd.exe 187 PID 3324 set thread context of 6348 3324 cmd.exe 186 PID 3688 set thread context of 6388 3688 cmd.exe 189 PID 3920 set thread context of 6528 3920 cmd.exe 192 PID 4372 set thread context of 6692 4372 cmd.exe 194 PID 5800 set thread context of 6744 5800 cmd.exe 196 PID 3748 set thread context of 6852 3748 cmd.exe 199 PID 4860 set thread context of 6912 4860 cmd.exe 201 PID 6164 set thread context of 6928 6164 cmd.exe 203 PID 6260 set thread context of 6940 6260 cmd.exe 202 PID 6304 set thread context of 7024 6304 cmd.exe 205 PID 6380 set thread context of 7160 6380 cmd.exe 208 PID 6404 set thread context of 6356 6404 cmd.exe 210 PID 6468 set thread context of 6632 6468 cmd.exe 212 PID 6584 set thread context of 7240 6584 cmd.exe 216 PID 6708 set thread context of 7392 6708 cmd.exe 218 PID 6756 set thread context of 7440 6756 cmd.exe 220 PID 6828 set thread context of 7568 6828 cmd.exe 223 PID 6868 set thread context of 7624 6868 cmd.exe 225 PID 6988 set thread context of 7752 6988 cmd.exe 229 PID 6968 set thread context of 7744 6968 cmd.exe 228 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 24 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 11388 10820 WerFault.exe 326 11396 12040 WerFault.exe 363 4212 10756 WerFault.exe 324 11556 10920 WerFault.exe 330 11664 10956 WerFault.exe 332 12112 9684 WerFault.exe 396 4984 10608 WerFault.exe 403 4828 10596 WerFault.exe 414 11568 11616 WerFault.exe 418 10428 11916 WerFault.exe 359 4808 12032 WerFault.exe 387 12528 12340 WerFault.exe 491 12556 12660 WerFault.exe 465 12592 12684 WerFault.exe 466 12636 12764 WerFault.exe 467 13032 5264 WerFault.exe 504 13284 11668 WerFault.exe 513 7540 12328 WerFault.exe 519 12320 12380 WerFault.exe 487 9932 5632 WerFault.exe 532 12244 5236 WerFault.exe 533 13184 5640 WerFault.exe 569 9304 1452 WerFault.exe 576 12964 2136 WerFault.exe 564 -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
007273899.exepid Process 1032 007273899.exe 1032 007273899.exe 1032 007273899.exe 1032 007273899.exe 1032 007273899.exe 1032 007273899.exe 1032 007273899.exe 1032 007273899.exe 1032 007273899.exe 1032 007273899.exe 1032 007273899.exe 1032 007273899.exe 1032 007273899.exe 1032 007273899.exe 1032 007273899.exe 1032 007273899.exe 1032 007273899.exe 1032 007273899.exe 1032 007273899.exe 1032 007273899.exe 1032 007273899.exe 1032 007273899.exe 1032 007273899.exe -
Suspicious behavior: SetClipboardViewer 64 IoCs
Processes:
cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exepid Process 2920 cmd.exe 208 cmd.exe 2192 cmd.exe 4368 cmd.exe 3624 cmd.exe 1664 cmd.exe 3004 cmd.exe 3968 cmd.exe 4512 cmd.exe 3372 cmd.exe 4580 cmd.exe 4724 cmd.exe 1292 cmd.exe 4388 cmd.exe 3916 cmd.exe 2852 cmd.exe 3576 cmd.exe 1996 cmd.exe 4040 cmd.exe 1420 cmd.exe 1756 cmd.exe 5180 cmd.exe 5244 cmd.exe 5376 cmd.exe 5516 cmd.exe 5592 cmd.exe 5696 cmd.exe 5764 cmd.exe 5860 cmd.exe 5984 cmd.exe 6052 cmd.exe 6136 cmd.exe 3152 cmd.exe 5448 cmd.exe 5388 cmd.exe 4784 cmd.exe 6124 cmd.exe 4168 cmd.exe 4464 cmd.exe 4500 cmd.exe 6200 cmd.exe 6388 cmd.exe 6348 cmd.exe 6340 cmd.exe 6528 cmd.exe 6692 cmd.exe 6744 cmd.exe 6852 cmd.exe 6928 cmd.exe 7024 cmd.exe 6940 cmd.exe 6912 cmd.exe 6632 cmd.exe 6356 cmd.exe 7160 cmd.exe 7240 cmd.exe 7392 cmd.exe 7440 cmd.exe 7568 cmd.exe 7624 cmd.exe 7752 cmd.exe 7744 cmd.exe 7832 cmd.exe 7852 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
007273899.exedescription pid Process Token: SeDebugPrivilege 1032 007273899.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
007273899.exepid Process 1032 007273899.exe 1032 007273899.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
007273899.execmd.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 4204 wrote to memory of 1032 4204 007273899.exe 83 PID 4204 wrote to memory of 1032 4204 007273899.exe 83 PID 4204 wrote to memory of 1032 4204 007273899.exe 83 PID 4204 wrote to memory of 1032 4204 007273899.exe 83 PID 4204 wrote to memory of 1032 4204 007273899.exe 83 PID 4204 wrote to memory of 1032 4204 007273899.exe 83 PID 4204 wrote to memory of 1032 4204 007273899.exe 83 PID 4204 wrote to memory of 1032 4204 007273899.exe 83 PID 4204 wrote to memory of 3016 4204 007273899.exe 84 PID 4204 wrote to memory of 3016 4204 007273899.exe 84 PID 4204 wrote to memory of 3016 4204 007273899.exe 84 PID 4204 wrote to memory of 1692 4204 007273899.exe 85 PID 4204 wrote to memory of 1692 4204 007273899.exe 85 PID 4204 wrote to memory of 1692 4204 007273899.exe 85 PID 3016 wrote to memory of 2920 3016 cmd.exe 86 PID 3016 wrote to memory of 2920 3016 cmd.exe 86 PID 3016 wrote to memory of 2920 3016 cmd.exe 86 PID 3016 wrote to memory of 2920 3016 cmd.exe 86 PID 3016 wrote to memory of 2920 3016 cmd.exe 86 PID 3016 wrote to memory of 2920 3016 cmd.exe 86 PID 3016 wrote to memory of 2920 3016 cmd.exe 86 PID 3016 wrote to memory of 2920 3016 cmd.exe 86 PID 3016 wrote to memory of 4456 3016 cmd.exe 87 PID 3016 wrote to memory of 4456 3016 cmd.exe 87 PID 3016 wrote to memory of 4456 3016 cmd.exe 87 PID 1692 wrote to memory of 3256 1692 cmd.exe 88 PID 1692 wrote to memory of 3256 1692 cmd.exe 88 PID 1692 wrote to memory of 3256 1692 cmd.exe 88 PID 1692 wrote to memory of 3256 1692 cmd.exe 88 PID 1692 wrote to memory of 3256 1692 cmd.exe 88 PID 1692 wrote to memory of 3256 1692 cmd.exe 88 PID 1692 wrote to memory of 3256 1692 cmd.exe 88 PID 1692 wrote to memory of 3256 1692 cmd.exe 88 PID 1692 wrote to memory of 3572 1692 cmd.exe 89 PID 1692 wrote to memory of 3572 1692 cmd.exe 89 PID 1692 wrote to memory of 3572 1692 cmd.exe 89 PID 4456 wrote to memory of 208 4456 cmd.exe 90 PID 4456 wrote to memory of 208 4456 cmd.exe 90 PID 4456 wrote to memory of 208 4456 cmd.exe 90 PID 4456 wrote to memory of 208 4456 cmd.exe 90 PID 4456 wrote to memory of 208 4456 cmd.exe 90 PID 4456 wrote to memory of 208 4456 cmd.exe 90 PID 4456 wrote to memory of 208 4456 cmd.exe 90 PID 4456 wrote to memory of 208 4456 cmd.exe 90 PID 4456 wrote to memory of 680 4456 cmd.exe 91 PID 4456 wrote to memory of 680 4456 cmd.exe 91 PID 4456 wrote to memory of 680 4456 cmd.exe 91 PID 3572 wrote to memory of 2192 3572 cmd.exe 92 PID 3572 wrote to memory of 2192 3572 cmd.exe 92 PID 3572 wrote to memory of 2192 3572 cmd.exe 92 PID 3572 wrote to memory of 2192 3572 cmd.exe 92 PID 3572 wrote to memory of 2192 3572 cmd.exe 92 PID 3572 wrote to memory of 2192 3572 cmd.exe 92 PID 3572 wrote to memory of 2192 3572 cmd.exe 92 PID 3572 wrote to memory of 2192 3572 cmd.exe 92 PID 3572 wrote to memory of 1864 3572 cmd.exe 93 PID 3572 wrote to memory of 1864 3572 cmd.exe 93 PID 3572 wrote to memory of 1864 3572 cmd.exe 93 PID 680 wrote to memory of 4368 680 cmd.exe 94 PID 680 wrote to memory of 4368 680 cmd.exe 94 PID 680 wrote to memory of 4368 680 cmd.exe 94 PID 680 wrote to memory of 4368 680 cmd.exe 94 PID 680 wrote to memory of 4368 680 cmd.exe 94 PID 680 wrote to memory of 4368 680 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\007273899.exe"C:\Users\Admin\AppData\Local\Temp\007273899.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Users\Admin\AppData\Local\Temp\007273899.exe"C:\Users\Admin\AppData\Local\Temp\007273899.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1032
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:2920
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:208
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:4368
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:1664
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:3968
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3696 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:3372
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:4724
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:3916
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:2852
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1300 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:1996
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4780 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:1420
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:5180
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5200 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:5516
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5536 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"16⤵
- Suspicious behavior: SetClipboardViewer
PID:5984
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"16⤵
- Suspicious use of SetThreadContext
PID:6000 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"17⤵
- Suspicious behavior: SetClipboardViewer
PID:6124
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"17⤵
- Suspicious use of SetThreadContext
PID:4372 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"18⤵
- Suspicious behavior: SetClipboardViewer
PID:6692
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"18⤵
- Suspicious use of SetThreadContext
PID:6708 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"19⤵
- Suspicious behavior: SetClipboardViewer
PID:7392
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"19⤵PID:7408
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"20⤵PID:4936
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"20⤵PID:8132
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"21⤵PID:8696
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"21⤵PID:9100
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"22⤵PID:10348
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"22⤵PID:10364
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"23⤵PID:11676
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"23⤵PID:11692
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"24⤵PID:10500
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"24⤵PID:10596
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10596 -s 88025⤵
- Program crash
PID:4828
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f17⤵PID:13160
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f15⤵PID:12800
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"16⤵PID:5236
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 86817⤵
- Program crash
PID:12244
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"16⤵PID:12116
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f13⤵PID:11584
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"13⤵PID:11380
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f12⤵PID:11916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 11916 -s 81613⤵
- Program crash
PID:10428
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"12⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"13⤵PID:13048
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"13⤵PID:13064
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"14⤵PID:7372
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"14⤵PID:5264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5264 -s 84015⤵
- Program crash
PID:13032
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f14⤵PID:3752
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f11⤵PID:10664
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"12⤵PID:11932
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"12⤵PID:11992
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f10⤵PID:9460
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵PID:10712
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵PID:10796
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f9⤵PID:8400
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"10⤵PID:9392
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"10⤵PID:9452
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵PID:10892
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵PID:10956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10956 -s 88412⤵
- Program crash
PID:11664
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f8⤵PID:7560
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"9⤵PID:8316
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"9⤵PID:8324
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"10⤵PID:9352
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"10⤵PID:9380
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵PID:10600
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵PID:10616
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"12⤵PID:11908
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"12⤵PID:11964
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f12⤵PID:11508
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"12⤵PID:7220
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"13⤵PID:12932
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"13⤵PID:12948
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f7⤵
- Suspicious use of SetThreadContext
PID:6828 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"8⤵
- Suspicious behavior: SetClipboardViewer
PID:7568
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"8⤵PID:7584
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"9⤵PID:8336
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"9⤵PID:8380
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"10⤵PID:9368
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"10⤵PID:9432
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵PID:10648
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵PID:10676
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"12⤵PID:12024
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"12⤵PID:12092
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f6⤵
- Suspicious use of SetThreadContext
PID:4860 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"7⤵
- Suspicious behavior: SetClipboardViewer
PID:6912
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"7⤵
- Suspicious use of SetThreadContext
PID:6968 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"8⤵
- Suspicious behavior: SetClipboardViewer
PID:7744
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"8⤵PID:7808
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"9⤵PID:8688
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"9⤵PID:8712
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"10⤵PID:9820
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"10⤵PID:9896
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵PID:11224
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵PID:10316
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"12⤵PID:12108
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f11⤵PID:12032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12032 -s 80812⤵
- Program crash
PID:4808
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"11⤵PID:13116
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"12⤵PID:4692
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f10⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵PID:2516
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵PID:13292
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"6⤵PID:5712
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f5⤵
- Suspicious use of SetThreadContext
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"6⤵
- Suspicious behavior: SetClipboardViewer
PID:4500
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"6⤵
- Suspicious use of SetThreadContext
PID:6164 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"7⤵
- Suspicious behavior: SetClipboardViewer
PID:6928
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"7⤵PID:7004
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"8⤵
- Suspicious behavior: SetClipboardViewer
PID:7852
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"8⤵PID:7900
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"9⤵PID:8776
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"9⤵PID:8808
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"10⤵PID:9876
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"10⤵PID:9956
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵PID:10332
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵PID:10580
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"12⤵PID:12284
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"12⤵PID:11616
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f12⤵PID:11072
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"12⤵PID:11864
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f11⤵PID:3712
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"12⤵PID:11968
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"12⤵PID:11924
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f6⤵PID:12416
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"5⤵PID:8292
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5680 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"5⤵
- Suspicious behavior: SetClipboardViewer
PID:6136
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"5⤵
- Suspicious use of SetThreadContext
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"6⤵
- Suspicious behavior: SetClipboardViewer
PID:4464
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"6⤵
- Suspicious use of SetThreadContext
PID:3748 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"7⤵
- Suspicious behavior: SetClipboardViewer
PID:6852
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"7⤵
- Suspicious use of SetThreadContext
PID:6868 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"8⤵
- Suspicious behavior: SetClipboardViewer
PID:7624
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"8⤵PID:7652
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"9⤵PID:8436
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"9⤵PID:8480
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"10⤵PID:9532
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"10⤵PID:9576
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵PID:10872
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵PID:10920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10920 -s 81212⤵
- Program crash
PID:11556
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f5⤵PID:12144
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"5⤵PID:5848
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"4⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"5⤵PID:5372
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"5⤵PID:12424
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5348 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:5696
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5728 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"5⤵
- Suspicious behavior: SetClipboardViewer
PID:3152
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"5⤵
- Suspicious use of SetThreadContext
PID:5320 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"6⤵
- Suspicious behavior: SetClipboardViewer
PID:6200
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"6⤵
- Suspicious use of SetThreadContext
PID:6260 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"7⤵
- Suspicious behavior: SetClipboardViewer
PID:6940
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"7⤵PID:7076
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"8⤵
- Suspicious behavior: SetClipboardViewer
PID:7832
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"8⤵PID:7880
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"9⤵PID:8820
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"9⤵PID:8856
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"10⤵PID:10076
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"10⤵PID:10132
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵PID:11268
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵PID:11332
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"12⤵PID:11868
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f11⤵PID:9684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9684 -s 82812⤵
- Program crash
PID:12112
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f6⤵PID:992
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f5⤵PID:4588
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"5⤵PID:11292
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"6⤵PID:1416
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"6⤵PID:5452
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f6⤵PID:12048
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f4⤵PID:12356
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"4⤵PID:13264
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"3⤵PID:13276
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"3⤵
- Executes dropped EXE
PID:3256
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:2192
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:3624
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3228 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:3004
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:4512
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:4580
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:1292
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3584 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:4388
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4180 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:3576
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:4040
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:1756
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:5244
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5268 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:5592
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5600 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"16⤵
- Suspicious behavior: SetClipboardViewer
PID:6052
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"16⤵
- Suspicious use of SetThreadContext
PID:6064 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"17⤵
- Suspicious behavior: SetClipboardViewer
PID:4168
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"17⤵
- Suspicious use of SetThreadContext
PID:5800 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"18⤵
- Suspicious behavior: SetClipboardViewer
PID:6744
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"18⤵
- Suspicious use of SetThreadContext
PID:6756 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"19⤵
- Suspicious behavior: SetClipboardViewer
PID:7440
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"19⤵PID:7460
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"20⤵PID:8128
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"20⤵PID:8208
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"21⤵PID:8928
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"21⤵PID:8788
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"22⤵PID:10404
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"22⤵PID:10424
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"23⤵PID:11728
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"23⤵PID:11744
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f23⤵PID:11412
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"23⤵PID:11508
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f22⤵PID:11616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 11616 -s 88023⤵
- Program crash
PID:11568
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"22⤵PID:12764
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12764 -s 90423⤵
- Program crash
PID:12636
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f17⤵PID:2324
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"17⤵PID:2304
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f16⤵PID:13172
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"16⤵PID:5308
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f15⤵PID:5208
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"15⤵PID:12116
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f14⤵PID:12972
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"14⤵PID:12996
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f13⤵PID:12036
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"13⤵PID:11120
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f12⤵PID:12040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12040 -s 81213⤵
- Program crash
PID:11396
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f11⤵PID:10756
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"12⤵PID:12084
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10756 -s 101212⤵
- Program crash
PID:4212
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f10⤵PID:9500
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵PID:10740
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵PID:10820
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10820 -s 85212⤵
- Program crash
PID:11388
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f9⤵PID:8460
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"10⤵PID:9612
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"10⤵PID:9680
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵PID:10968
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵PID:11040
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f11⤵PID:11684
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"11⤵PID:11868
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f10⤵PID:11928
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵PID:11336
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵PID:3344
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f11⤵PID:11980
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"12⤵PID:13152
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"12⤵PID:13180
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"13⤵PID:13112
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"13⤵PID:13144
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f13⤵PID:11668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 11668 -s 19214⤵
- Program crash
PID:13284
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"13⤵PID:5144
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f12⤵PID:968
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"12⤵PID:12328
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12328 -s 86013⤵
- Program crash
PID:7540
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"11⤵PID:12544
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"10⤵PID:13132
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"9⤵PID:32
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f8⤵PID:7696
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"9⤵PID:8472
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"9⤵PID:8544
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"10⤵PID:9664
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"10⤵PID:9744
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵PID:11084
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵PID:11116
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"12⤵PID:4984
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f11⤵PID:3752
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"12⤵PID:12012
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"12⤵PID:1524
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f12⤵PID:11952
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"12⤵PID:4028
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"11⤵PID:11668
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"12⤵PID:13164
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f10⤵PID:13212
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵PID:12252
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵PID:10428
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"12⤵PID:11668
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"12⤵PID:13220
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f12⤵PID:12344
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"12⤵PID:4428
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f11⤵PID:5772
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"12⤵PID:11668
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"12⤵PID:1452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 83613⤵
- Program crash
PID:9304
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f12⤵PID:6668
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"12⤵PID:11864
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"11⤵PID:2444
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f7⤵
- Suspicious use of SetThreadContext
PID:6988 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"8⤵
- Suspicious behavior: SetClipboardViewer
PID:7752
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"8⤵PID:7792
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"9⤵PID:8604
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"9⤵PID:8648
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"10⤵PID:9704
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"10⤵PID:9796
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵PID:11140
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵PID:11204
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"12⤵PID:12116
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"12⤵PID:12152
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f12⤵PID:11972
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f11⤵PID:12080
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"11⤵PID:7224
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f10⤵PID:11120
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵PID:13264
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵PID:13288
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f11⤵PID:9840
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"11⤵PID:5104
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"10⤵PID:12380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12380 -s 83211⤵
- Program crash
PID:12320
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f9⤵PID:12492
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"9⤵PID:2136
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 81210⤵
- Program crash
PID:12964
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f6⤵
- Suspicious use of SetThreadContext
PID:6304 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"7⤵
- Suspicious behavior: SetClipboardViewer
PID:7024
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"7⤵PID:7144
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"8⤵PID:8000
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"8⤵PID:8036
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"9⤵PID:8920
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"9⤵PID:8936
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"10⤵PID:9968
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"10⤵PID:10024
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵PID:10292
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵PID:10340
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f11⤵PID:11960
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"6⤵PID:1720
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f5⤵
- Suspicious use of SetThreadContext
PID:3928 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"6⤵
- Suspicious behavior: SetClipboardViewer
PID:6340
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"6⤵
- Suspicious use of SetThreadContext
PID:6380 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"7⤵
- Suspicious behavior: SetClipboardViewer
PID:7160
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"7⤵PID:6536
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"8⤵PID:8120
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"8⤵PID:8168
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"9⤵PID:8988
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"9⤵PID:9016
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"10⤵PID:10088
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"10⤵PID:10236
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵PID:11312
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵PID:11408
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"12⤵PID:11976
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"12⤵PID:10568
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f12⤵PID:10320
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f11⤵PID:10608
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10608 -s 83612⤵
- Program crash
PID:4984
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f7⤵PID:11560
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"7⤵PID:12884
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f6⤵PID:12824
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"7⤵PID:5632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 8768⤵
- Program crash
PID:9932
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"7⤵PID:5216
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f7⤵PID:12944
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"7⤵PID:13116
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"8⤵PID:5604
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"8⤵PID:5640
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 8289⤵
- Program crash
PID:13184
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f8⤵PID:13220
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5784 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"5⤵
- Suspicious behavior: SetClipboardViewer
PID:5388
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"5⤵
- Suspicious use of SetThreadContext
PID:3324 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"6⤵
- Suspicious behavior: SetClipboardViewer
PID:6348
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"6⤵
- Suspicious use of SetThreadContext
PID:6404 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"7⤵
- Suspicious behavior: SetClipboardViewer
PID:6356
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"7⤵PID:4156
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"8⤵PID:8108
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"8⤵PID:8152
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"9⤵PID:9088
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"9⤵PID:9116
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"10⤵PID:10120
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"10⤵PID:10212
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵PID:11356
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵PID:11460
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f12⤵PID:11044
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"12⤵PID:11120
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f11⤵PID:11296
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"12⤵PID:12476
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"12⤵PID:12524
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f12⤵PID:12584
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"12⤵PID:12660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12660 -s 86413⤵
- Program crash
PID:12556
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f6⤵PID:12592
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"6⤵PID:13016
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f5⤵PID:8664
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"5⤵PID:9840
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"6⤵PID:5148
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"4⤵PID:12408
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5440 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"4⤵
- Suspicious behavior: SetClipboardViewer
PID:5860
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"4⤵
- Suspicious use of SetThreadContext
PID:5888 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"5⤵
- Suspicious behavior: SetClipboardViewer
PID:4784
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"5⤵
- Suspicious use of SetThreadContext
PID:3920 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"6⤵
- Suspicious behavior: SetClipboardViewer
PID:6528
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"6⤵
- Suspicious use of SetThreadContext
PID:6584 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"7⤵
- Suspicious behavior: SetClipboardViewer
PID:7240
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"7⤵PID:7264
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"8⤵PID:7356
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"8⤵PID:7536
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"9⤵PID:9160
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"9⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"10⤵PID:9696
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"10⤵PID:10112
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵PID:11436
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵PID:11524
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"12⤵PID:4020
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f11⤵PID:11400
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"12⤵PID:12484
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"12⤵PID:12532
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f12⤵PID:12616
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"12⤵PID:12684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12684 -s 87613⤵
- Program crash
PID:12592
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f6⤵PID:2416
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f5⤵PID:13120
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"6⤵PID:4140
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"6⤵PID:1728
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f4⤵PID:12600
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"5⤵PID:12328
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"5⤵PID:13156
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"6⤵PID:12508
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f6⤵PID:5688
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"6⤵PID:5288
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f5⤵PID:2324
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"3⤵PID:12360
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5128 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:5376
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5396 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:5764
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"4⤵
- Suspicious use of SetThreadContext
PID:5792 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"5⤵
- Suspicious behavior: SetClipboardViewer
PID:5448
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"5⤵
- Suspicious use of SetThreadContext
PID:3688 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"6⤵
- Suspicious behavior: SetClipboardViewer
PID:6388
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"6⤵
- Suspicious use of SetThreadContext
PID:6468 -
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"7⤵
- Suspicious behavior: SetClipboardViewer
PID:6632
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"7⤵PID:6920
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"8⤵PID:8096
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"8⤵PID:6684
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"9⤵PID:8996
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"9⤵PID:9036
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"10⤵PID:10196
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵PID:11124
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵PID:11292
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f11⤵PID:3680
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"12⤵PID:12308
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"12⤵PID:12324
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f12⤵PID:12360
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"12⤵PID:12376
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"11⤵PID:12432
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"10⤵PID:10104
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f10⤵PID:12452
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"11⤵PID:12440
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"11⤵PID:12444
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f11⤵PID:12340
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12340 -s 83212⤵
- Program crash
PID:12528
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f6⤵PID:10584
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"6⤵PID:4520
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f4⤵PID:12564
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"5⤵PID:12312
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"5⤵PID:12380
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"C:\Users\Admin\AppData\Local\Temp\cmd.exe"6⤵PID:4444
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"6⤵PID:3276
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵PID:4428
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"3⤵PID:12348
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\007273899.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"2⤵PID:9844
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 12040 -ip 120401⤵PID:12252
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 10820 -ip 108201⤵PID:12260
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 10796 -ip 107961⤵PID:12244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 10756 -ip 107561⤵PID:12272
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 10956 -ip 109561⤵PID:11636
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 9684 -ip 96841⤵PID:12096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 10608 -ip 106081⤵PID:12136
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 11524 -ip 115241⤵PID:11668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 11524 -ip 115241⤵PID:2220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 10596 -ip 105961⤵PID:4700
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 11616 -ip 116161⤵PID:11336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 6536 -ip 65361⤵PID:11668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 11916 -ip 119161⤵PID:10464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 11584 -ip 115841⤵PID:7228
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 11508 -ip 115081⤵PID:2200
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 12032 -ip 120321⤵PID:11120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 7224 -ip 72241⤵PID:11968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 12308 -ip 123081⤵PID:12412
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 12484 -ip 124841⤵PID:12600
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 12340 -ip 123401⤵PID:9288
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 12660 -ip 126601⤵PID:12492
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 12764 -ip 127641⤵PID:12500
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5264 -ip 52641⤵PID:12996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 12328 -ip 123281⤵PID:12036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 12380 -ip 123801⤵PID:5132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 12360 -ip 123601⤵PID:12424
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 5236 -ip 52361⤵PID:12032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 12492 -ip 124921⤵PID:12596
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5640 -ip 56401⤵PID:2860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1452 -ip 14521⤵PID:12332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5452 -ip 54521⤵PID:11120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2136 -ip 21361⤵PID:5932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 6668 -ip 66681⤵PID:11980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 13132 -ip 131321⤵PID:4332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 9840 -ip 98401⤵PID:12000
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585
-
Filesize
1024KB
MD5f42fcf497f956a3652942c352fe4106e
SHA1f7fbf7918016b1514dec2107b35534254f37bf59
SHA256184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27
SHA5121aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585