Analysis Overview
SHA256
e2aac5fb4c3889bf916a1938cd3006dd3143e80774fa55ab0ffe25c88387dd9d
Threat Level: Known bad
The file Loader.exe was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Detect Xworm Payload
Quasar payload
Quasar family
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
Xworm
AsyncRat
Async RAT payload
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Looks up external IP address via web service
Unsigned PE
Program crash
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-27 13:30
Signatures
A stealer written in Python and packaged with Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blankgrabber family
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 13:30
Reported
2024-06-27 13:47
Platform
win10v2004-20240508-en
Max time kernel
1047s
Max time network
1051s
Command Line
Signatures
AsyncRat
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\explorer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Part 2.exe | N/A |
Executes dropped EXE
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
C:\Users\Admin\AppData\Local\Temp\Part 1.exe
"C:\Users\Admin\AppData\Local\Temp\Part 1.exe"
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Users\Admin\AppData\Local\Temp\Part 3.exe
"C:\Users\Admin\AppData\Local\Temp\Part 3.exe"
C:\Users\Admin\AppData\Local\Temp\Part 4.exe
"C:\Users\Admin\AppData\Local\Temp\Part 4.exe"
C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
"C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 1.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 4.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 4.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 1.exe'
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hI8lJN5gZi9c.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4472 -ip 4472
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1956
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TssbLXg53huh.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2568 -ip 2568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 1648
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5ovnZz7ICP2g.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3752 -ip 3752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgUDNAYfhU1H.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1988 -ip 1988
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1648
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KH2mC5JNiHTH.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1468 -ip 1468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 2168
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dZt8Z7daahCU.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3572 -ip 3572
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 2196
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YBJ1En4WCUQ3.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1712
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gtOWsZP0diUp.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1264 -ip 1264
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 2252
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hachhZ4GTwm1.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1360 -ip 1360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 1652
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V6RkdHUD3pZR.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 756 -ip 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1084
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\frWofdriDg1w.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3980 -ip 3980
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 1096
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9pdT9loAfSL0.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1100
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G2pDWhEpiRE1.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3560 -ip 3560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WpXk8Xwxut4J.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3792 -ip 3792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eXcFmJHRL885.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1504 -ip 1504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 2236
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3rKuz7GrpYcs.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3112 -ip 3112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zTkndnimQMqR.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3408 -ip 3408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1716
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PrCyio3yLgzn.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2616 -ip 2616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 1720
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gfuVKel6W8p6.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4628 -ip 4628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1100
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQzZMz9bgzGa.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 876 -ip 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 2200
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MsG3bKh8pjUZ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1084 -ip 1084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 2200
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7t9817raI3lr.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2288 -ip 2288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1656
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\it87L1TFLqsV.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4888 -ip 4888
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v6AAYja7zqW5.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 860 -ip 860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgvzauBWTpHB.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3352 -ip 3352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 2172
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WHTYPoxETckA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4288 -ip 4288
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1656
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j3NMEuV39GsZ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1996 -ip 1996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 2196
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XZBPAbv0jAfz.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 848 -ip 848
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 2196
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PAnY1YCcp9Ce.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3268 -ip 3268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tr4KtZNmkZZW.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3612 -ip 3612
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 1088
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogaaH9FDSq5i.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2108 -ip 2108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1100
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1STO6Fm28UE7.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3788 -ip 3788
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1644
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\59k9xHxC3ubz.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bc1dDbVjCepy.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4132 -ip 4132
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 2168
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gK3YoLKJYgo4.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4828 -ip 4828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEH1F3bDBaF9.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1096 -ip 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1724
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KvYm65lN60c0.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2712 -ip 2712
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 2252
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X9bpJnsFk0Ga.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4976 -ip 4976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uX0QMmhXZ7MH.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2536 -ip 2536
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 2196
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JPZqAx8u5CKs.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 232 -ip 232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 1692
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F1zjpeapg0YR.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4144 -ip 4144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gPRuuev1aKho.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 1164 -ip 1164
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 1096
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\weIgu7BDk83I.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4604 -ip 4604
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1724
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YdXiiOV86er5.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3168 -ip 3168
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 2184
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ojz3o8BfUgVq.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9IjsqIm3zeGw.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 2800 -ip 2800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 1100
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZBIIeTDQUjEX.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 3516 -ip 3516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 2196
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKkC8mwzcNF0.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 2724 -ip 2724
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 1660
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Irbp7WspHT76.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 1456 -ip 1456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T9LoAPoZGAMa.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 1528 -ip 1528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qS1tKCI6fOmh.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 3276 -ip 3276
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1640
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9Gl0y3V8w3gf.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4872 -ip 4872
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 2252
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jB0TOln1Zx7k.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 844 -ip 844
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 2252
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WioXKTDy9quA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 768 -ip 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 2180
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\izYVNM8i8X9e.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4164 -ip 4164
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 2168
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hznMdeVIhvWQ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3844 -ip 3844
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 2196
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pFjbtnGiAo40.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 1808 -ip 1808
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 2196
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qN626QU2yNtO.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 4696 -ip 4696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 2228
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NLGHdZwOWMI8.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 732 -ip 732
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1096
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UYS10WN3YMB8.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 956 -ip 956
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 1088
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xRpAbRyjaFqe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 4924 -ip 4924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1648
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TM03z7jj7wD3.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 1360 -ip 1360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 2172
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAlAdzwlPb71.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3088 -ip 3088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 2168
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1SYjjuOPTURA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 2020 -ip 2020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 2248
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CjWY15gj1Z3Q.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 1528 -ip 1528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | super-nearest.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | stop-largely.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | stop-largely.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | stop-largely.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
Files
memory/1388-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp
memory/1388-1-0x0000000000890000-0x0000000001324000-memory.dmp
memory/1388-2-0x0000000005CA0000-0x0000000005D3C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | bb57e95ad7ac1da6307c62d2e75a7e6d |
| SHA1 | 403145af8d0e5260ff0bb9eacac51e9a667214e2 |
| SHA256 | e2b6fb77c0c45a1ac911cfabea26c5dceb234bed0eb4b3ffa5c12af22a4cd630 |
| SHA512 | 12517e3eeb1bef18999807d8a08ce50d743b3dd4ff45d54bd4bfc552620ac6c9ff62fa212e8b1c61d5343d8bbd2dc9da0537f554893799ae23ab3748d14c4bf8 |
C:\Users\Admin\AppData\Local\Temp\explorer.exe
| MD5 | 5377e3b94429dc03de4ad493a4dc8071 |
| SHA1 | f12d5b92c0af3ba5efa623f36ace62428bf29cc0 |
| SHA256 | 3d95d7835452b6533f132d079f43ebf337fb7fa6e8f66a8268331d894dd0ed68 |
| SHA512 | 2a1db554f8c2076d94ecf947628c7d4c5f94739ed678bed0ff180b981ae6d130e9f642d7a23fcceb37273f3a5c2bf29c18fc7b6820878c72e8080cef27e66bdb |
memory/2948-23-0x0000000000D20000-0x0000000001700000-memory.dmp
memory/3480-28-0x00007FFFEFE53000-0x00007FFFEFE55000-memory.dmp
memory/3480-29-0x0000000000D20000-0x0000000000DCC000-memory.dmp
memory/2948-27-0x0000000074E40000-0x00000000755F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Part 1.exe
| MD5 | 092a0c6fe885844fd74947e64e7fc11e |
| SHA1 | bfe46f64f36f2e927d862a1a787f146ed2c01219 |
| SHA256 | 91431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2 |
| SHA512 | 022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0 |
C:\Users\Admin\AppData\Local\Temp\Part 3.exe
| MD5 | 27fe9341167a34f606b800303ac54b1f |
| SHA1 | 86373d218b48361bff1c23ddd08b6ab1803a51d0 |
| SHA256 | 29e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d |
| SHA512 | 05b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0 |
C:\Users\Admin\AppData\Local\Temp\Part 4.exe
| MD5 | 1f1b23752df3d29e7604ba52aea85862 |
| SHA1 | bb582c6cf022098b171c4c9c7318a51de29ebcf4 |
| SHA256 | 4834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960 |
| SHA512 | d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde |
memory/4472-85-0x00000000008C0000-0x000000000092C000-memory.dmp
memory/2948-90-0x0000000074E40000-0x00000000755F0000-memory.dmp
memory/4472-91-0x0000000005200000-0x0000000005292000-memory.dmp
memory/2428-92-0x0000000000E90000-0x0000000000EAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
| MD5 | 4daae2de5a31125d02b057c1ff18d58f |
| SHA1 | e1d603edfcc150a4718e2916ae3dda3aa9548dc8 |
| SHA256 | 25510f3aa1b879ea92a3cba9583d73e447b8765bae6dfcc4954bb72df5beaa7f |
| SHA512 | 7cda96a69f9cddab307f3f08e1f38a4d059f0cc7f7119d4a48891efdb01cf101ebcc06cb2ce0702ea2d689d27ee45faddc0a13cd72503c609c4e544919549a2a |
memory/4472-87-0x0000000005710000-0x0000000005CB4000-memory.dmp
memory/4356-72-0x0000000000DA0000-0x0000000000DB6000-memory.dmp
memory/3456-69-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
| MD5 | e10c7425705b2bd3214fa96247ee21c4 |
| SHA1 | 7603536b97ab6337fa023bafcf80579c2b4059e6 |
| SHA256 | 021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4 |
| SHA512 | 47e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d |
memory/4836-94-0x0000000000940000-0x000000000094E000-memory.dmp
memory/4836-95-0x0000000001130000-0x0000000001140000-memory.dmp
memory/4472-96-0x00000000052B0000-0x0000000005316000-memory.dmp
memory/4472-98-0x0000000005F00000-0x0000000005F12000-memory.dmp
memory/4812-105-0x000001FA84670000-0x000001FA84692000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dcgji5x1.0ou.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a2c8179aaa149c0b9791b73ce44c04d1 |
| SHA1 | 703361b0d43ec7f669304e7c0ffbbfdeb1e484ff |
| SHA256 | c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a |
| SHA512 | 2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3 |
memory/4472-146-0x00000000069F0000-0x00000000069FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hI8lJN5gZi9c.bat
| MD5 | a043d7b8caef5b86e552914ded22a26e |
| SHA1 | 6d605088ce033fdee9b20355673279f78284f1bd |
| SHA256 | 482a803b50dade29384a0ef50388710c6faf249aae40a0589f49f7928079746d |
| SHA512 | b048d7243beae1be4e0d364cf9cf23e22a0d24d381628b5370fcbdcdebe737e0c62416e7bb265270583b2f63aa6dd2d9bee8810734492e8bb74915e59dcc4932 |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | 6946b755c3314eab145d91e8caf7ac01 |
| SHA1 | 4f98282de5b5c823de0957412f579c284350c400 |
| SHA256 | e220ccc7e70d8e3b570cb4a14856b500bb1a9657ea248af6713375033b0c5961 |
| SHA512 | 276b29df256d8a3d7d10291e5e537b032216fcc306c346cd646e35dd555f6a0ec07a0c6907e2b1b2f195c953a717a4674ce6b8e8810ce91849c42012ca672cb4 |
C:\Users\Admin\AppData\Local\Temp\TssbLXg53huh.bat
| MD5 | 97878563befb4170d5ff0a525721f186 |
| SHA1 | f31ac5d4b10495d1973c8c5bec93d17952c0c5d6 |
| SHA256 | 0104d7299e7508dcdb77643de14a95af09c67f0af9f863478e1b3e1f7cda358e |
| SHA512 | a4d7ee509ee309c773c018017f799b4b9820f25e5f4a73dce12e1351c1ff0e68189fc1614919d0e153a121d263e222b841992bf9f9b6888870697920f0d1ba17 |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | ed8af0a2bd106ab56f32517d8d479529 |
| SHA1 | 97b4eab543397d7f981b70b025eb0fc112b26d40 |
| SHA256 | ee908e8d4cc169346f150beb5489b5e6bc65b68c340f04941e4c09903059a0bb |
| SHA512 | 6b5899b6988c4d3b9945189b8bebc1fd6e0a521eb5e7f7f68ca35073288a1d651bccfcc87c864a938164f642a723ca3dbd5d02e6b7b778fa65b000862cd5487b |
C:\Users\Admin\AppData\Local\Temp\5ovnZz7ICP2g.bat
| MD5 | 81b6a7a1e934a3f28a34773d03c34247 |
| SHA1 | 015005c0d67a7ee6fdb8a6ebf3b26353800cedc2 |
| SHA256 | 743ade614ea169ea605072cf58ff69949d243598d308020e720af9a3fe3b936a |
| SHA512 | 409ef70d38801771abeb4003231070b4a23239cfd63604a892b7579ae5060c984e99993fb00611826755775048c27b4deb330bcc8f44829c90359202b56a8e18 |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | 30f30d503ba9625e69db2787882e1aae |
| SHA1 | bd4874ce124bf8eb2b98604db1cadf2c70cd2f69 |
| SHA256 | f02740158ae069b555bc89cfd6788822f2bcd1b62dd57ac7eb5a79f1ae744421 |
| SHA512 | 9a1671500c1ea374332b4cea935bb5fb927f3006470cede37dcf56e25d9b9121123c5a93d9b954a436aac552dcd3e872793fac240af1dc680a2885f95d72bce0 |
C:\Users\Admin\AppData\Local\Temp\VgUDNAYfhU1H.bat
| MD5 | dcc8962a7198dd9d2ddbb70a850e4081 |
| SHA1 | 7e969975e11792c274aabf9ba20a5769c40a25b8 |
| SHA256 | ffe6872ec5b2c558e895d4855e031996281d1df1e5e73c877bb73eb03a15be1f |
| SHA512 | 90f4a1d7992e19a4937f718a3bf8b9544a8dfe24e9c6050face68ccca86b9cc186f07088b29e175f0e71e7e64b09270f86a2877b3332f6cc365baa65b4dcce66 |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | 425a8fe65e169dad58d588b7a6b24a71 |
| SHA1 | a14386e82aa26281a623e934cd70e015aa0eb729 |
| SHA256 | a6b96f59f6584b32452a6fbdaa337dfab93cc214112bdb6550032d0b5e1d4a03 |
| SHA512 | d82f5a63185f2f070963457762a207f18669dc5416a41f33f82ee3d6d4704ffcd007b4bdc17895fef630ec82b2f58afdeb2fe5ceed247ef34778cb308bda2983 |
C:\Users\Admin\AppData\Local\Temp\KH2mC5JNiHTH.bat
| MD5 | ada7da9bf222156aee9993f7098a7cf3 |
| SHA1 | cc8ad2dcc7c335fa5ebd92dbd925066a35e4d70e |
| SHA256 | 8428e7eccbcff14269cd7a48e30850a31f424ca57a4ee9901761f6d40bfadb7a |
| SHA512 | 6e823811227335e901282f8cc09321eb4f05c03673d80560dcf7b85f89bee9cdb24512866945e42ff678e5ff42b39239f411fbd890fdc20a5703f4c951a30c4c |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | e5660c56071e4186a216dd55eebb068f |
| SHA1 | 39b403d7462db5d21e88ca600808981aff497f71 |
| SHA256 | 11f29ee7da9e5aec0239f55c3bd7ccf4815909b2868e16a6e1d19df6cd4ea1e0 |
| SHA512 | 5cb5b6d42511d7b482f9087f3ba168fa275b56edf2d8af241dd540759ac0ffb1d2060326192cdc315297b08173bdf5889ae185db93311c876bcdde883f4fed6b |
C:\Users\Admin\AppData\Local\Temp\dZt8Z7daahCU.bat
| MD5 | 08eb33399308bcc71b6bb3e1ae59588f |
| SHA1 | b5eb2be7fc55a01f85b61d5cbcc0b4fa7b2910bb |
| SHA256 | a7cb053e2769f580d3595bee591bac3c0483238d970f259eeb9e06bc821d44a3 |
| SHA512 | 530850c3a9dc810e9a2b0f82d7f68952bc55a8f5dc4ca88c801f82a09e6dcf07cc859ea93a2fdf075a8e982cbf80dd82dc384e390cbce459d4a07b2ae39c59d1 |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\YBJ1En4WCUQ3.bat
| MD5 | 783405b08bd903f199c8c36e7c624404 |
| SHA1 | 1fb35905051defe834b35e512223ff1d30d175f9 |
| SHA256 | 22a821a8feb9a7b59c07b5a49f963386bd8c7085f4f1eae05a3d7af58387cb83 |
| SHA512 | 48f6dca3e760f3f32434b3cfa31b029a48135004c727c33147a1bdc9b628f1f254b9bfb1d9ef578dae5a54d9edd2fac39d93a655144550be1bb6e5564c0cc74e |
C:\Users\Admin\AppData\Local\Temp\gtOWsZP0diUp.bat
| MD5 | f318782c2ea613b7e3d285603b0cc3f3 |
| SHA1 | a9d060a40790bda666b4e42dcad544befa98295a |
| SHA256 | c403a1cbf073277a77541c28398d52afa277880b95deb22bef98b2a1215b6a15 |
| SHA512 | ed000c747ebfc312dacbc4653aee14b6b865b7ab4455a11af7568daf82a7cf6807445a6fb039ccc62772b5a945e2f1d0fa3198863ca2f4de93d1759a92e9b769 |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | c15db8bfb722ab58c87fe122560a5d26 |
| SHA1 | 5ba872c8cf065ca38698b68f1142527883e8815b |
| SHA256 | b8d9e0e8cfbd4cadc9282d226050512ba5478742a7dab7fde9fc85019c72cf51 |
| SHA512 | 58061d1a2b9390b6fb45c520f08f8664cf8203f1b2c354a8e7262b180c3e837fe0308d4dde6b38cc23ed04667ea8e017586fd63bccf1575ff027310098076972 |
C:\Users\Admin\AppData\Local\Temp\hachhZ4GTwm1.bat
| MD5 | 3a54e4ed4b16f6857f10350ff92705ab |
| SHA1 | 6aa2f6a16aec6224390fa12774bc3b6b680d9a41 |
| SHA256 | 18ca807f08d51ada674474a5a44482f619e0f39a7b6ac3c25bf74645b94abcfe |
| SHA512 | 2aa1e840a11e9504e1f9c9be9282664ed2697d76ac87067e21e63f6b28411d9f0f5fccb160936ccb629c72e84fda022d69cc3b75f1ba1601912d41bd78115ca6 |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | 46681b7c46814bb5265870380d543312 |
| SHA1 | fc32f3b1b70a2e0aeba0b5b753419ff86c3252c0 |
| SHA256 | bd1cd05f65f75e0fc627f9303ccecfda2ead380031f03a1c03cc5e81bd47fb43 |
| SHA512 | 569b87bc97056ba32e7b7833894713b411fe2ae08c1592f4870685d3a666f75e756d7706f744589edf1a139d3cf7bfa188e97e0344e493dfaf66a3fd7e2c25f2 |
C:\Users\Admin\AppData\Local\Temp\V6RkdHUD3pZR.bat
| MD5 | db0396d23bf6060ddd30cb834099f387 |
| SHA1 | dcca428158c102f4525761c7e4d9dbf81f1c0f12 |
| SHA256 | 93a1b6498b0a15c0e9beea5f85cf9d96bfcec32fd178a7b01a1fea1b3c114816 |
| SHA512 | a56519bdae3100f51d096f38cb400ab175736748d9c94ae15972b3378e3e4021eb42af56ed4686abe337dee21a597e08a00203c8ec08aeae125eea306df17c1e |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | cb19e88cfe0adcc17b92da93d8758e4a |
| SHA1 | 53aa18506bccfd81bc1f8e0de494d90f4df4807d |
| SHA256 | 47429e59f3eada5e00bba55a9766472752a4351534b7cd6bdab3ce8a5e77ee1f |
| SHA512 | 04cb2cb177ad9cc51949e0f6d1bf1766044a7795cbc8199e901e10bfef23cc5e5c8d53882789fc1d2592f4902a3c5fc583f6b2c693b583ba0932c7ec06e16417 |
C:\Users\Admin\AppData\Local\Temp\frWofdriDg1w.bat
| MD5 | 17d5e84d453ea9e21864c4ac64a7d05a |
| SHA1 | 16545ae867d183da60b07555a4ab96e0f8e0f18e |
| SHA256 | 87bd7c9020255f219e6e8682a5eae47ce375b97547258935d9a15dcf32542dd7 |
| SHA512 | 1638abedd1dd3a9606f11117db2537ad89849f2f5e04cd54f7acf3399db14b498acdff2c3409240f628585de511ffe8e213591448918b227130cb2f6ce810ad1 |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | a762b7281fcd8450cf67a85e1d44fcd2 |
| SHA1 | 35b1940fc5c9bd4b7adbd1b89aebbe9ddb39c10e |
| SHA256 | 7e624ba0faeecc249aca512da9cdffce4d80db5eee3b3a42bea5f8afbaf20c70 |
| SHA512 | c6ed649166065dc1f6aa30490abea80fde9745ebaca450576cde8604fabbaf4eaf341205de81fe0a66531b5a1639026dc07d45d072b4f3148b105f29da8629f0 |
C:\Users\Admin\AppData\Local\Temp\9pdT9loAfSL0.bat
| MD5 | 55854d5bf464ec5496ebb081e4fcc1d7 |
| SHA1 | 055253cab6c1ddc44162ed4eb99f80bcfcf93ca7 |
| SHA256 | cf9d6a0e486a4c8c8c0d0b927a731df651a35475c8b666b417556b4c65ea337d |
| SHA512 | 7e65ed6f661d3286e5e9fdf2b2227d3b5448a073c299d867c53cbc092013d9bbd638608c73b5b463278a3a93a592c6eaf72329921413f9fdc30f2e650b9921e9 |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | 5644ce3798c7c3ea263df114f526ae0b |
| SHA1 | 45306761b3bdca7f994e7fef5e01a3c7c23e2bac |
| SHA256 | d325f8a03660245cdf61e61fc7798b1e502d7c8510344a6a0e8248eec997c3e2 |
| SHA512 | 996c1dea812fc4e5dc9dd13ffbee5b13e70d2a4c5ab8da2864737f26c504a8ca9b115265b25351c61b7362c12754376edb836bbc4bf06897b437b3872929edf5 |
C:\Users\Admin\AppData\Local\Temp\G2pDWhEpiRE1.bat
| MD5 | c60d51d95a40b6230b5a6b98c8991d12 |
| SHA1 | ba442f96267d0ec8d0c1ae902182c49906bb4540 |
| SHA256 | 513b100f4e8f0035422a785563d0931f9474b24104c1cc6f7acb91205f80238b |
| SHA512 | c75b3652b0bdf60fb57425120044897004628185bd0896ba9a45f3387a0352e6f3c09f4ed21be5fbc64b735d55538d7992bd95b08c4a3cb4122b2853e321cfea |
C:\Users\Admin\AppData\Roaming\Logs\06-27-2024
| MD5 | 85151f4809cfdda628e5c5e36d59aee6 |
| SHA1 | 78a5a8fafcc740288974c00edad22a1ed02c7d24 |
| SHA256 | 4c16236ce7b433ec621a68ecf9d33bef69ac902493878232187027ea01c18bed |
| SHA512 | c56c0aeb4bfd200f47b06532b81c8de962cdd42fc5da2cb53db17b07dd08bec156024181c33bf695fafb1bb247e9a3984c063708784620d1e7a1319887bdf42b |
C:\Users\Admin\AppData\Local\Temp\WpXk8Xwxut4J.bat
| MD5 | f0fb9bb664273a1b7cca319e016b31c3 |
| SHA1 | 711f754c71c63418a1d845ea7f77a312619f41be |
| SHA256 | 4a5d8edd85d9639fa32527d54b57c81c587f42c6a2e19575a7aa6d60c7ffbd14 |
| SHA512 | 8cf67dff8e592b1f6fb32cce9bd89efb270a99c054ef95961c4ea8531bf0260b91e8059b2583cd76fee08b26d14852c6193f1546db51ec6eda028981b715026f |
C:\Users\Admin\AppData\Local\Temp\eXcFmJHRL885.bat
| MD5 | 01ec866292c09f17d328a6b870b98846 |
| SHA1 | 6b04096bfa7a150c15d5fc70d37e5b71fea2da32 |
| SHA256 | 19ab236292b0c881c3bd62c20749470fd82d50a3ef5cecd1fd48f39dc5b58dff |
| SHA512 | 8a2a9a8759f9ce924657526eb42d51527e3ff05d53aa62bd0136f9242b8021d40158907d34c314f3f48729b1265b66feae231cbab79dcc86a0f2133675b515c4 |
C:\Users\Admin\AppData\Local\Temp\3rKuz7GrpYcs.bat
| MD5 | ec9a788e9bc75ec831b8fca56225d4aa |
| SHA1 | eaa5a309b6b780a9edfef1383e18085cf172dfeb |
| SHA256 | c9106744c6e511af0c95bf4a3dbb504c3f59ac2ac12e594b457d5942083362f0 |
| SHA512 | d85ef6c5f7f6f2e915f156dc90e34049e829715e7ffd97248b11629565e119127581de7c90ae371b38bc62dff2483f6cd727b55d5b06d46f3924755a39e0ffe9 |