Malware Analysis Report

2024-10-16 07:21

Sample ID 240627-qrr5eswdjl
Target Loader.exe
SHA256 e2aac5fb4c3889bf916a1938cd3006dd3143e80774fa55ab0ffe25c88387dd9d
Tags
quasar blankgrabber asyncrat xworm default slave execution rat spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2aac5fb4c3889bf916a1938cd3006dd3143e80774fa55ab0ffe25c88387dd9d

Threat Level: Known bad

The file Loader.exe was found to be: Known bad.

Malicious Activity Summary

quasar blankgrabber asyncrat xworm default slave execution rat spyware trojan

Quasar RAT

Detect Xworm Payload

Quasar payload

Quasar family

A stealer written in Python and packaged with Pyinstaller

Blankgrabber family

Xworm

AsyncRat

Async RAT payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Unsigned PE

Program crash

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-27 13:30

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 13:30

Reported

2024-06-27 13:47

Platform

win10v2004-20240508-en

Max time kernel

1047s

Max time network

1051s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

Signatures

AsyncRat

rat asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1388 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1388 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1388 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1388 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\explorer.exe
PID 1388 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\explorer.exe
PID 3480 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Part 1.exe
PID 3480 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Part 1.exe
PID 3480 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
PID 3480 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
PID 3480 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
PID 3480 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Part 3.exe
PID 3480 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Part 3.exe
PID 3480 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Part 4.exe
PID 3480 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Part 4.exe
PID 3480 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
PID 3480 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
PID 3480 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\explorer.exe C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
PID 3456 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\Part 1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\Part 1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\Part 4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\Part 4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\Part 4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\Part 4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\Part 1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3456 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\Part 1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\schtasks.exe
PID 4472 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\schtasks.exe
PID 4472 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\schtasks.exe
PID 4472 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\cmd.exe
PID 4472 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\cmd.exe
PID 4472 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\cmd.exe
PID 3720 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3720 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3720 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3720 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3720 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3720 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3720 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
PID 3720 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
PID 3720 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
PID 2568 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2568 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2568 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2568 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\cmd.exe
PID 964 wrote to memory of 620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 964 wrote to memory of 620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 964 wrote to memory of 620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 964 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 964 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 964 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 964 wrote to memory of 3752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
PID 964 wrote to memory of 3752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
PID 964 wrote to memory of 3752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Part 2.exe
PID 3752 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\schtasks.exe
PID 3752 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\schtasks.exe
PID 3752 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\schtasks.exe
PID 3752 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\cmd.exe
PID 3752 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\cmd.exe
PID 3752 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\Part 2.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3376 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3376 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com

Processes

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\explorer.exe

"C:\Users\Admin\AppData\Local\Temp\explorer.exe"

C:\Users\Admin\AppData\Local\Temp\Part 1.exe

"C:\Users\Admin\AppData\Local\Temp\Part 1.exe"

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Users\Admin\AppData\Local\Temp\Part 3.exe

"C:\Users\Admin\AppData\Local\Temp\Part 3.exe"

C:\Users\Admin\AppData\Local\Temp\Part 4.exe

"C:\Users\Admin\AppData\Local\Temp\Part 4.exe"

C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe

"C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 1.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 4.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 4.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 1.exe'

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hI8lJN5gZi9c.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4472 -ip 4472

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1956

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TssbLXg53huh.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2568 -ip 2568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 1648

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5ovnZz7ICP2g.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3752 -ip 3752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgUDNAYfhU1H.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1988 -ip 1988

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1648

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KH2mC5JNiHTH.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1468 -ip 1468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 2168

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dZt8Z7daahCU.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3572 -ip 3572

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 2196

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YBJ1En4WCUQ3.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4496 -ip 4496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1712

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gtOWsZP0diUp.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1264 -ip 1264

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 2252

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hachhZ4GTwm1.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1360 -ip 1360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 1652

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V6RkdHUD3pZR.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 756 -ip 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1084

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\frWofdriDg1w.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3980 -ip 3980

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 1096

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9pdT9loAfSL0.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1100

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G2pDWhEpiRE1.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3560 -ip 3560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WpXk8Xwxut4J.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3792 -ip 3792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eXcFmJHRL885.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1504 -ip 1504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 2236

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3rKuz7GrpYcs.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zTkndnimQMqR.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3408 -ip 3408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1716

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PrCyio3yLgzn.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2616 -ip 2616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 1720

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gfuVKel6W8p6.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1100

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQzZMz9bgzGa.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 876 -ip 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 2200

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MsG3bKh8pjUZ.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1084 -ip 1084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 2200

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7t9817raI3lr.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2288 -ip 2288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1656

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\it87L1TFLqsV.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4888 -ip 4888

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 2248

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v6AAYja7zqW5.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 860 -ip 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgvzauBWTpHB.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3352 -ip 3352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 2172

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WHTYPoxETckA.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4288 -ip 4288

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1656

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j3NMEuV39GsZ.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1996 -ip 1996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 2196

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XZBPAbv0jAfz.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 848 -ip 848

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 2196

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAnY1YCcp9Ce.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3268 -ip 3268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 2224

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tr4KtZNmkZZW.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3612 -ip 3612

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 1088

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogaaH9FDSq5i.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2108 -ip 2108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1100

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1STO6Fm28UE7.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3788 -ip 3788

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1644

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\59k9xHxC3ubz.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4076 -ip 4076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bc1dDbVjCepy.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4132 -ip 4132

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 2168

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gK3YoLKJYgo4.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4828 -ip 4828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEH1F3bDBaF9.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1096 -ip 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1724

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KvYm65lN60c0.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2712 -ip 2712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 2252

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X9bpJnsFk0Ga.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4976 -ip 4976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 2224

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uX0QMmhXZ7MH.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2536 -ip 2536

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 2196

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JPZqAx8u5CKs.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 232 -ip 232

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 1692

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F1zjpeapg0YR.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4144 -ip 4144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gPRuuev1aKho.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 1164 -ip 1164

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 1096

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\weIgu7BDk83I.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4604 -ip 4604

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1724

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YdXiiOV86er5.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3168 -ip 3168

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 2184

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ojz3o8BfUgVq.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9IjsqIm3zeGw.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 2800 -ip 2800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 1100

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZBIIeTDQUjEX.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 3516 -ip 3516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 2196

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKkC8mwzcNF0.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 2724 -ip 2724

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 1660

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Irbp7WspHT76.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 1456 -ip 1456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T9LoAPoZGAMa.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 1528 -ip 1528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qS1tKCI6fOmh.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 3276 -ip 3276

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1640

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9Gl0y3V8w3gf.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4872 -ip 4872

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 2252

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jB0TOln1Zx7k.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 844 -ip 844

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 2252

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WioXKTDy9quA.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 768 -ip 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 2180

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\izYVNM8i8X9e.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4164 -ip 4164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 2168

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hznMdeVIhvWQ.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3844 -ip 3844

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 2196

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pFjbtnGiAo40.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 1808 -ip 1808

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 2196

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qN626QU2yNtO.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 4696 -ip 4696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 2228

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NLGHdZwOWMI8.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 732 -ip 732

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1096

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYS10WN3YMB8.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 956 -ip 956

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 1088

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xRpAbRyjaFqe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 4924 -ip 4924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1648

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TM03z7jj7wD3.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 1360 -ip 1360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 2172

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAlAdzwlPb71.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3088 -ip 3088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 2168

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1SYjjuOPTURA.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 2248

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CjWY15gj1Z3Q.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 1528 -ip 1528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 super-nearest.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 stop-largely.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 stop-largely.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 stop-largely.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 best-bird.gl.at.ply.gg udp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 finally-grande.gl.at.ply.gg udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 i.ibb.co udp

Files

memory/1388-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

memory/1388-1-0x0000000000890000-0x0000000001324000-memory.dmp

memory/1388-2-0x0000000005CA0000-0x0000000005D3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 bb57e95ad7ac1da6307c62d2e75a7e6d
SHA1 403145af8d0e5260ff0bb9eacac51e9a667214e2
SHA256 e2b6fb77c0c45a1ac911cfabea26c5dceb234bed0eb4b3ffa5c12af22a4cd630
SHA512 12517e3eeb1bef18999807d8a08ce50d743b3dd4ff45d54bd4bfc552620ac6c9ff62fa212e8b1c61d5343d8bbd2dc9da0537f554893799ae23ab3748d14c4bf8

C:\Users\Admin\AppData\Local\Temp\explorer.exe

MD5 5377e3b94429dc03de4ad493a4dc8071
SHA1 f12d5b92c0af3ba5efa623f36ace62428bf29cc0
SHA256 3d95d7835452b6533f132d079f43ebf337fb7fa6e8f66a8268331d894dd0ed68
SHA512 2a1db554f8c2076d94ecf947628c7d4c5f94739ed678bed0ff180b981ae6d130e9f642d7a23fcceb37273f3a5c2bf29c18fc7b6820878c72e8080cef27e66bdb

memory/2948-23-0x0000000000D20000-0x0000000001700000-memory.dmp

memory/3480-28-0x00007FFFEFE53000-0x00007FFFEFE55000-memory.dmp

memory/3480-29-0x0000000000D20000-0x0000000000DCC000-memory.dmp

memory/2948-27-0x0000000074E40000-0x00000000755F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Part 1.exe

MD5 092a0c6fe885844fd74947e64e7fc11e
SHA1 bfe46f64f36f2e927d862a1a787f146ed2c01219
SHA256 91431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2
SHA512 022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0

C:\Users\Admin\AppData\Local\Temp\Part 3.exe

MD5 27fe9341167a34f606b800303ac54b1f
SHA1 86373d218b48361bff1c23ddd08b6ab1803a51d0
SHA256 29e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d
SHA512 05b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0

C:\Users\Admin\AppData\Local\Temp\Part 4.exe

MD5 1f1b23752df3d29e7604ba52aea85862
SHA1 bb582c6cf022098b171c4c9c7318a51de29ebcf4
SHA256 4834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960
SHA512 d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde

memory/4472-85-0x00000000008C0000-0x000000000092C000-memory.dmp

memory/2948-90-0x0000000074E40000-0x00000000755F0000-memory.dmp

memory/4472-91-0x0000000005200000-0x0000000005292000-memory.dmp

memory/2428-92-0x0000000000E90000-0x0000000000EAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe

MD5 4daae2de5a31125d02b057c1ff18d58f
SHA1 e1d603edfcc150a4718e2916ae3dda3aa9548dc8
SHA256 25510f3aa1b879ea92a3cba9583d73e447b8765bae6dfcc4954bb72df5beaa7f
SHA512 7cda96a69f9cddab307f3f08e1f38a4d059f0cc7f7119d4a48891efdb01cf101ebcc06cb2ce0702ea2d689d27ee45faddc0a13cd72503c609c4e544919549a2a

memory/4472-87-0x0000000005710000-0x0000000005CB4000-memory.dmp

memory/4356-72-0x0000000000DA0000-0x0000000000DB6000-memory.dmp

memory/3456-69-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Part 2.exe

MD5 e10c7425705b2bd3214fa96247ee21c4
SHA1 7603536b97ab6337fa023bafcf80579c2b4059e6
SHA256 021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4
SHA512 47e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d

memory/4836-94-0x0000000000940000-0x000000000094E000-memory.dmp

memory/4836-95-0x0000000001130000-0x0000000001140000-memory.dmp

memory/4472-96-0x00000000052B0000-0x0000000005316000-memory.dmp

memory/4472-98-0x0000000005F00000-0x0000000005F12000-memory.dmp

memory/4812-105-0x000001FA84670000-0x000001FA84692000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dcgji5x1.0ou.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a2c8179aaa149c0b9791b73ce44c04d1
SHA1 703361b0d43ec7f669304e7c0ffbbfdeb1e484ff
SHA256 c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a
SHA512 2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

memory/4472-146-0x00000000069F0000-0x00000000069FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hI8lJN5gZi9c.bat

MD5 a043d7b8caef5b86e552914ded22a26e
SHA1 6d605088ce033fdee9b20355673279f78284f1bd
SHA256 482a803b50dade29384a0ef50388710c6faf249aae40a0589f49f7928079746d
SHA512 b048d7243beae1be4e0d364cf9cf23e22a0d24d381628b5370fcbdcdebe737e0c62416e7bb265270583b2f63aa6dd2d9bee8810734492e8bb74915e59dcc4932

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 6946b755c3314eab145d91e8caf7ac01
SHA1 4f98282de5b5c823de0957412f579c284350c400
SHA256 e220ccc7e70d8e3b570cb4a14856b500bb1a9657ea248af6713375033b0c5961
SHA512 276b29df256d8a3d7d10291e5e537b032216fcc306c346cd646e35dd555f6a0ec07a0c6907e2b1b2f195c953a717a4674ce6b8e8810ce91849c42012ca672cb4

C:\Users\Admin\AppData\Local\Temp\TssbLXg53huh.bat

MD5 97878563befb4170d5ff0a525721f186
SHA1 f31ac5d4b10495d1973c8c5bec93d17952c0c5d6
SHA256 0104d7299e7508dcdb77643de14a95af09c67f0af9f863478e1b3e1f7cda358e
SHA512 a4d7ee509ee309c773c018017f799b4b9820f25e5f4a73dce12e1351c1ff0e68189fc1614919d0e153a121d263e222b841992bf9f9b6888870697920f0d1ba17

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 ed8af0a2bd106ab56f32517d8d479529
SHA1 97b4eab543397d7f981b70b025eb0fc112b26d40
SHA256 ee908e8d4cc169346f150beb5489b5e6bc65b68c340f04941e4c09903059a0bb
SHA512 6b5899b6988c4d3b9945189b8bebc1fd6e0a521eb5e7f7f68ca35073288a1d651bccfcc87c864a938164f642a723ca3dbd5d02e6b7b778fa65b000862cd5487b

C:\Users\Admin\AppData\Local\Temp\5ovnZz7ICP2g.bat

MD5 81b6a7a1e934a3f28a34773d03c34247
SHA1 015005c0d67a7ee6fdb8a6ebf3b26353800cedc2
SHA256 743ade614ea169ea605072cf58ff69949d243598d308020e720af9a3fe3b936a
SHA512 409ef70d38801771abeb4003231070b4a23239cfd63604a892b7579ae5060c984e99993fb00611826755775048c27b4deb330bcc8f44829c90359202b56a8e18

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 30f30d503ba9625e69db2787882e1aae
SHA1 bd4874ce124bf8eb2b98604db1cadf2c70cd2f69
SHA256 f02740158ae069b555bc89cfd6788822f2bcd1b62dd57ac7eb5a79f1ae744421
SHA512 9a1671500c1ea374332b4cea935bb5fb927f3006470cede37dcf56e25d9b9121123c5a93d9b954a436aac552dcd3e872793fac240af1dc680a2885f95d72bce0

C:\Users\Admin\AppData\Local\Temp\VgUDNAYfhU1H.bat

MD5 dcc8962a7198dd9d2ddbb70a850e4081
SHA1 7e969975e11792c274aabf9ba20a5769c40a25b8
SHA256 ffe6872ec5b2c558e895d4855e031996281d1df1e5e73c877bb73eb03a15be1f
SHA512 90f4a1d7992e19a4937f718a3bf8b9544a8dfe24e9c6050face68ccca86b9cc186f07088b29e175f0e71e7e64b09270f86a2877b3332f6cc365baa65b4dcce66

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 425a8fe65e169dad58d588b7a6b24a71
SHA1 a14386e82aa26281a623e934cd70e015aa0eb729
SHA256 a6b96f59f6584b32452a6fbdaa337dfab93cc214112bdb6550032d0b5e1d4a03
SHA512 d82f5a63185f2f070963457762a207f18669dc5416a41f33f82ee3d6d4704ffcd007b4bdc17895fef630ec82b2f58afdeb2fe5ceed247ef34778cb308bda2983

C:\Users\Admin\AppData\Local\Temp\KH2mC5JNiHTH.bat

MD5 ada7da9bf222156aee9993f7098a7cf3
SHA1 cc8ad2dcc7c335fa5ebd92dbd925066a35e4d70e
SHA256 8428e7eccbcff14269cd7a48e30850a31f424ca57a4ee9901761f6d40bfadb7a
SHA512 6e823811227335e901282f8cc09321eb4f05c03673d80560dcf7b85f89bee9cdb24512866945e42ff678e5ff42b39239f411fbd890fdc20a5703f4c951a30c4c

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 e5660c56071e4186a216dd55eebb068f
SHA1 39b403d7462db5d21e88ca600808981aff497f71
SHA256 11f29ee7da9e5aec0239f55c3bd7ccf4815909b2868e16a6e1d19df6cd4ea1e0
SHA512 5cb5b6d42511d7b482f9087f3ba168fa275b56edf2d8af241dd540759ac0ffb1d2060326192cdc315297b08173bdf5889ae185db93311c876bcdde883f4fed6b

C:\Users\Admin\AppData\Local\Temp\dZt8Z7daahCU.bat

MD5 08eb33399308bcc71b6bb3e1ae59588f
SHA1 b5eb2be7fc55a01f85b61d5cbcc0b4fa7b2910bb
SHA256 a7cb053e2769f580d3595bee591bac3c0483238d970f259eeb9e06bc821d44a3
SHA512 530850c3a9dc810e9a2b0f82d7f68952bc55a8f5dc4ca88c801f82a09e6dcf07cc859ea93a2fdf075a8e982cbf80dd82dc384e390cbce459d4a07b2ae39c59d1

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\YBJ1En4WCUQ3.bat

MD5 783405b08bd903f199c8c36e7c624404
SHA1 1fb35905051defe834b35e512223ff1d30d175f9
SHA256 22a821a8feb9a7b59c07b5a49f963386bd8c7085f4f1eae05a3d7af58387cb83
SHA512 48f6dca3e760f3f32434b3cfa31b029a48135004c727c33147a1bdc9b628f1f254b9bfb1d9ef578dae5a54d9edd2fac39d93a655144550be1bb6e5564c0cc74e

C:\Users\Admin\AppData\Local\Temp\gtOWsZP0diUp.bat

MD5 f318782c2ea613b7e3d285603b0cc3f3
SHA1 a9d060a40790bda666b4e42dcad544befa98295a
SHA256 c403a1cbf073277a77541c28398d52afa277880b95deb22bef98b2a1215b6a15
SHA512 ed000c747ebfc312dacbc4653aee14b6b865b7ab4455a11af7568daf82a7cf6807445a6fb039ccc62772b5a945e2f1d0fa3198863ca2f4de93d1759a92e9b769

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 c15db8bfb722ab58c87fe122560a5d26
SHA1 5ba872c8cf065ca38698b68f1142527883e8815b
SHA256 b8d9e0e8cfbd4cadc9282d226050512ba5478742a7dab7fde9fc85019c72cf51
SHA512 58061d1a2b9390b6fb45c520f08f8664cf8203f1b2c354a8e7262b180c3e837fe0308d4dde6b38cc23ed04667ea8e017586fd63bccf1575ff027310098076972

C:\Users\Admin\AppData\Local\Temp\hachhZ4GTwm1.bat

MD5 3a54e4ed4b16f6857f10350ff92705ab
SHA1 6aa2f6a16aec6224390fa12774bc3b6b680d9a41
SHA256 18ca807f08d51ada674474a5a44482f619e0f39a7b6ac3c25bf74645b94abcfe
SHA512 2aa1e840a11e9504e1f9c9be9282664ed2697d76ac87067e21e63f6b28411d9f0f5fccb160936ccb629c72e84fda022d69cc3b75f1ba1601912d41bd78115ca6

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 46681b7c46814bb5265870380d543312
SHA1 fc32f3b1b70a2e0aeba0b5b753419ff86c3252c0
SHA256 bd1cd05f65f75e0fc627f9303ccecfda2ead380031f03a1c03cc5e81bd47fb43
SHA512 569b87bc97056ba32e7b7833894713b411fe2ae08c1592f4870685d3a666f75e756d7706f744589edf1a139d3cf7bfa188e97e0344e493dfaf66a3fd7e2c25f2

C:\Users\Admin\AppData\Local\Temp\V6RkdHUD3pZR.bat

MD5 db0396d23bf6060ddd30cb834099f387
SHA1 dcca428158c102f4525761c7e4d9dbf81f1c0f12
SHA256 93a1b6498b0a15c0e9beea5f85cf9d96bfcec32fd178a7b01a1fea1b3c114816
SHA512 a56519bdae3100f51d096f38cb400ab175736748d9c94ae15972b3378e3e4021eb42af56ed4686abe337dee21a597e08a00203c8ec08aeae125eea306df17c1e

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 cb19e88cfe0adcc17b92da93d8758e4a
SHA1 53aa18506bccfd81bc1f8e0de494d90f4df4807d
SHA256 47429e59f3eada5e00bba55a9766472752a4351534b7cd6bdab3ce8a5e77ee1f
SHA512 04cb2cb177ad9cc51949e0f6d1bf1766044a7795cbc8199e901e10bfef23cc5e5c8d53882789fc1d2592f4902a3c5fc583f6b2c693b583ba0932c7ec06e16417

C:\Users\Admin\AppData\Local\Temp\frWofdriDg1w.bat

MD5 17d5e84d453ea9e21864c4ac64a7d05a
SHA1 16545ae867d183da60b07555a4ab96e0f8e0f18e
SHA256 87bd7c9020255f219e6e8682a5eae47ce375b97547258935d9a15dcf32542dd7
SHA512 1638abedd1dd3a9606f11117db2537ad89849f2f5e04cd54f7acf3399db14b498acdff2c3409240f628585de511ffe8e213591448918b227130cb2f6ce810ad1

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 a762b7281fcd8450cf67a85e1d44fcd2
SHA1 35b1940fc5c9bd4b7adbd1b89aebbe9ddb39c10e
SHA256 7e624ba0faeecc249aca512da9cdffce4d80db5eee3b3a42bea5f8afbaf20c70
SHA512 c6ed649166065dc1f6aa30490abea80fde9745ebaca450576cde8604fabbaf4eaf341205de81fe0a66531b5a1639026dc07d45d072b4f3148b105f29da8629f0

C:\Users\Admin\AppData\Local\Temp\9pdT9loAfSL0.bat

MD5 55854d5bf464ec5496ebb081e4fcc1d7
SHA1 055253cab6c1ddc44162ed4eb99f80bcfcf93ca7
SHA256 cf9d6a0e486a4c8c8c0d0b927a731df651a35475c8b666b417556b4c65ea337d
SHA512 7e65ed6f661d3286e5e9fdf2b2227d3b5448a073c299d867c53cbc092013d9bbd638608c73b5b463278a3a93a592c6eaf72329921413f9fdc30f2e650b9921e9

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 5644ce3798c7c3ea263df114f526ae0b
SHA1 45306761b3bdca7f994e7fef5e01a3c7c23e2bac
SHA256 d325f8a03660245cdf61e61fc7798b1e502d7c8510344a6a0e8248eec997c3e2
SHA512 996c1dea812fc4e5dc9dd13ffbee5b13e70d2a4c5ab8da2864737f26c504a8ca9b115265b25351c61b7362c12754376edb836bbc4bf06897b437b3872929edf5

C:\Users\Admin\AppData\Local\Temp\G2pDWhEpiRE1.bat

MD5 c60d51d95a40b6230b5a6b98c8991d12
SHA1 ba442f96267d0ec8d0c1ae902182c49906bb4540
SHA256 513b100f4e8f0035422a785563d0931f9474b24104c1cc6f7acb91205f80238b
SHA512 c75b3652b0bdf60fb57425120044897004628185bd0896ba9a45f3387a0352e6f3c09f4ed21be5fbc64b735d55538d7992bd95b08c4a3cb4122b2853e321cfea

C:\Users\Admin\AppData\Roaming\Logs\06-27-2024

MD5 85151f4809cfdda628e5c5e36d59aee6
SHA1 78a5a8fafcc740288974c00edad22a1ed02c7d24
SHA256 4c16236ce7b433ec621a68ecf9d33bef69ac902493878232187027ea01c18bed
SHA512 c56c0aeb4bfd200f47b06532b81c8de962cdd42fc5da2cb53db17b07dd08bec156024181c33bf695fafb1bb247e9a3984c063708784620d1e7a1319887bdf42b

C:\Users\Admin\AppData\Local\Temp\WpXk8Xwxut4J.bat

MD5 f0fb9bb664273a1b7cca319e016b31c3
SHA1 711f754c71c63418a1d845ea7f77a312619f41be
SHA256 4a5d8edd85d9639fa32527d54b57c81c587f42c6a2e19575a7aa6d60c7ffbd14
SHA512 8cf67dff8e592b1f6fb32cce9bd89efb270a99c054ef95961c4ea8531bf0260b91e8059b2583cd76fee08b26d14852c6193f1546db51ec6eda028981b715026f

C:\Users\Admin\AppData\Local\Temp\eXcFmJHRL885.bat

MD5 01ec866292c09f17d328a6b870b98846
SHA1 6b04096bfa7a150c15d5fc70d37e5b71fea2da32
SHA256 19ab236292b0c881c3bd62c20749470fd82d50a3ef5cecd1fd48f39dc5b58dff
SHA512 8a2a9a8759f9ce924657526eb42d51527e3ff05d53aa62bd0136f9242b8021d40158907d34c314f3f48729b1265b66feae231cbab79dcc86a0f2133675b515c4

C:\Users\Admin\AppData\Local\Temp\3rKuz7GrpYcs.bat

MD5 ec9a788e9bc75ec831b8fca56225d4aa
SHA1 eaa5a309b6b780a9edfef1383e18085cf172dfeb
SHA256 c9106744c6e511af0c95bf4a3dbb504c3f59ac2ac12e594b457d5942083362f0
SHA512 d85ef6c5f7f6f2e915f156dc90e34049e829715e7ffd97248b11629565e119127581de7c90ae371b38bc62dff2483f6cd727b55d5b06d46f3924755a39e0ffe9