Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
688s -
max time network
692s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07/11/2024, 16:07
General
-
Target
VaporWaveX2.1.rar
-
Size
72.5MB
-
MD5
c1b8933cfb2e489e8601d151bb291fb1
-
SHA1
fa62983e1a63940f55a25cd6f872b2f0206a94ad
-
SHA256
ffd1d3a0e43ff0ba827e83fccc2515392e2d08719338219d200b8a310c5acdb6
-
SHA512
e501a5a88047e0f974355c1a703303edba46c187c0c8bb24be6bcdaffc3c357923d982797cae82cd1f5c89fd8bb40391b0995093da9be18d428700b3a4a23eed
-
SSDEEP
1572864:OPWU7/Jq6WgiEaArvFfrdpT/3BTkwHmkuiH09i4h5gmIKTv6yjZOE:Oftq6W7A7xLTfBTgkuAjm5rz1OE
Score
10/10
Malware Config
Extracted
Family
quasar
Version
1.3.0.0
Botnet
general1
C2
servicehos.zapto.org:4444
Mutex
QSR_MUTEX_ksxWAP4ziOqMlreofU
Attributes
-
encryption_key
i9HUVkY4QNExDOHIMtIX
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Signatures
-
Quasar RAT 12 IoCs
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 1 IoCs
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Looks up external IP address via web service 11 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 64 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\VaporWaveX2.1.rar"1⤵
- Quasar RAT
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zO863B67F7\VaporWave2-1.exe"C:\Users\Admin\AppData\Local\Temp\7zO863B67F7\VaporWave2-1.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\7zO863B67F7\VaporWave2-1.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgcq2xrANJVV.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmWApshI3nxX.bat" "6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jHjQBfRH6d9C.bat" "8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650019⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost9⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hVES4Zjk16c4.bat" "10⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500111⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"11⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 225210⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 22168⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 22086⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 19764⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zO8638E148\VaporWave2-1.exe"C:\Users\Admin\AppData\Local\Temp\7zO8638E148\VaporWave2-1.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\7zO8638E148\VaporWave2-1.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0GlNKftrj36w.bat" "4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3GoxMhPkpGAb.bat" "6⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost7⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 22366⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 22324⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zO863C10B8\VaporWave2-1.exe"C:\Users\Admin\AppData\Local\Temp\7zO863C10B8\VaporWave2-1.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\7zO863077B8\VaporWave2-1.exe"C:\Users\Admin\AppData\Local\Temp\7zO863077B8\VaporWave2-1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\7zO86380D88\VaporWave2-1.exe"C:\Users\Admin\AppData\Local\Temp\7zO86380D88\VaporWave2-1.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\7zO86380D88\VaporWave2-1.exe" /rl HIGHEST /f3⤵
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcRtpUTMoxCx.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yBZvGjOmlsNH.bat" "6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"7⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 22326⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 22364⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zO8633F388\VaporWave2-1.exe"C:\Users\Admin\AppData\Local\Temp\7zO8633F388\VaporWave2-1.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\7zO863EF998\VaporWave2-1.exe"C:\Users\Admin\AppData\Local\Temp\7zO863EF998\VaporWave2-1.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\7zO863EF998\VaporWave2-1.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A7gEMobxX92A.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uiv7YmZB7F2E.bat" "6⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost7⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5YlhTKIRhz9I.bat" "8⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650019⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eZvVN3ooxavm.bat" "10⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500111⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\foEH3iFbOq5Y.bat" "12⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500113⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f14⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9JQXPVzaRgHD.bat" "14⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500115⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nyEBqpnYE2Ij.bat" "16⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500117⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2Mw5PmTfvcxI.bat" "18⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500119⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f20⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ex0ExuwsI5IF.bat" "20⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500121⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost21⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HzymeObY4Umc.bat" "22⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500123⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SpoLZwKpeDsg.bat" "24⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500125⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost25⤵
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f26⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\glbqzXoSxrPp.bat" "26⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500127⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f28⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PKYwExFXv2T0.bat" "28⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500129⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost29⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f30⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tHfbi5BzNpo5.bat" "30⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500131⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost31⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f32⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lj7LBfaC0lKA.bat" "32⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500133⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost33⤵
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f34⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EsZFfzIl7PLe.bat" "34⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500135⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost35⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"35⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f36⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Mha5mmrhBKlo.bat" "36⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500137⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost37⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"37⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f38⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o83pFMFvoGIt.bat" "38⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500139⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost39⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"39⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f40⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWeVxcwYLTEe.bat" "40⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500141⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost41⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f42⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qsFMCrbWemdR.bat" "42⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500143⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost43⤵
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"43⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f44⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umh2aujkiuFF.bat" "44⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500145⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost45⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"45⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f46⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwLp9VLIlWgk.bat" "46⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500147⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost47⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"47⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f48⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kL4jiS2PS7LJ.bat" "48⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500149⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost49⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"49⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f50⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\viytUeYCeuJx.bat" "50⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500151⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost51⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"51⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f52⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pBFBCz8N0X6u.bat" "52⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500153⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost53⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"53⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f54⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fOdrll2O2G53.bat" "54⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500155⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost55⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"55⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f56⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L0Vj6dfuvX7u.bat" "56⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500157⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost57⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"57⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f58⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e71fvVEgMyjh.bat" "58⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500159⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost59⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"59⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f60⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUwphhkTXlhL.bat" "60⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500161⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost61⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"61⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f62⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgVlUjU93gza.bat" "62⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500163⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost63⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"63⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f64⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q4Ef3gBGkHe8.bat" "64⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500165⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost65⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"65⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f66⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wg6XOYnndXg0.bat" "66⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500167⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost67⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"67⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f68⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h30iAkKapKee.bat" "68⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500169⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost69⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"69⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f70⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IruKQrt3irL1.bat" "70⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500171⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost71⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"71⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f72⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pv0uQ2assY69.bat" "72⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500173⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost73⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"73⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f74⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cUK1WYNeYY8Y.bat" "74⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500175⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost75⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"75⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f76⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nrEBIktRjL5C.bat" "76⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500177⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost77⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"77⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f78⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TT64edWxcb83.bat" "78⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500179⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost79⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"79⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f80⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3Y0NRYN6I6a6.bat" "80⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500181⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost81⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"81⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f82⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S6Kg538CjD3W.bat" "82⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500183⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost83⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"83⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f84⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R5YWLLUmJcQI.bat" "84⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500185⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost85⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"85⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f86⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZjFwuyJIvZi1.bat" "86⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500187⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost87⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"87⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f88⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BJI5T6lVI13y.bat" "88⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500189⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost89⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"89⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f90⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\72eJboRtXWdw.bat" "90⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500191⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost91⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"91⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f92⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xE1yAaLuZGc5.bat" "92⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500193⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost93⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"93⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f94⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yTLkrFnh0Wls.bat" "94⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500195⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost95⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"95⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f96⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CgjEr1jMG9Jz.bat" "96⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500197⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost97⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"97⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f98⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umkvy5xxpNEl.bat" "98⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500199⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost99⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"99⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f100⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0ehXCMiMoOca.bat" "100⤵
-
C:\Windows\SysWOW64\chcp.comchcp 65001101⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost101⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"101⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f102⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q854lOH1LP7L.bat" "102⤵
-
C:\Windows\SysWOW64\chcp.comchcp 65001103⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost103⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"103⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f104⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1EzNXK891uZO.bat" "104⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 65001105⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost105⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"105⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f106⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xUPCXhb4rS0w.bat" "106⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 65001107⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost107⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"107⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f108⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y0JxoWVtFhBh.bat" "108⤵
-
C:\Windows\SysWOW64\chcp.comchcp 65001109⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost109⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"109⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f110⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lLnbC3BONcrg.bat" "110⤵
-
C:\Windows\SysWOW64\chcp.comchcp 65001111⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost111⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 2228110⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 2216108⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 2200106⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 2216104⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 2216102⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 1960100⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 222098⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 222496⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 219694⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 225692⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 221290⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 222088⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 220086⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 225284⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 222082⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 219680⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 221278⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 96076⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 221274⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 222472⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 222070⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 221668⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 220066⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 198064⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 217662⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 223260⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 224058⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 96856⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 226054⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 221652⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 196850⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 221648⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 221246⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 221244⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 222442⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 222040⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 222038⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 221236⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 220834⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 191632⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 220030⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 220428⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 219626⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 223224⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 220022⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 226020⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 221618⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 180 -s 222016⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 222814⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 222812⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 223610⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 22168⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 22366⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 22524⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zO863FFC98\VaporWave2-1.exe"C:\Users\Admin\AppData\Local\Temp\7zO863FFC98\VaporWave2-1.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\7zO86310398\VaporWave2-1.exe"C:\Users\Admin\AppData\Local\Temp\7zO86310398\VaporWave2-1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\7zO8630A698\VaporWave2-1.exe"C:\Users\Admin\AppData\Local\Temp\7zO8630A698\VaporWave2-1.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\7zO8630A698\VaporWave2-1.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\moKKgS2CySV6.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZztGSUmtUOnL.bat" "6⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8134MDHGkzao.bat" "8⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650019⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f10⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKv6ioE87x64.bat" "10⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500111⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f12⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fpJcHroneybp.bat" "12⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500113⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2kooBUQb49X5.bat" "14⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500115⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsdE5JpWABAl.bat" "16⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500117⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f18⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3QGqGmRSUlD3.bat" "18⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500119⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMl1AQ3GuwAK.bat" "20⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500121⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost21⤵
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ekUvjNjNbWps.bat" "22⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500123⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost23⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h3XDIEWvSheE.bat" "24⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500125⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost25⤵
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f26⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G4h1Cx2IiIQh.bat" "26⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500127⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost27⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f28⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\azNUJqUoceg4.bat" "28⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500129⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost29⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f30⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jr8qKrOW7Tko.bat" "30⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500131⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost31⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f32⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwEQK25KHAVw.bat" "32⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500133⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost33⤵
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f34⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkFGRqeHL6u7.bat" "34⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500135⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost35⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"35⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f36⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6JBMhG5MKGyI.bat" "36⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500137⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost37⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f38⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H80vbopdu05N.bat" "38⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500139⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost39⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f40⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9qYQwmKichxQ.bat" "40⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500141⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost41⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"41⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f42⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\u438pGGq3iDL.bat" "42⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500143⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost43⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"43⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f44⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ysFEAJfTbqwb.bat" "44⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 6500145⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost45⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"45⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 222444⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 111242⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 222440⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 222438⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 221636⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 223634⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 222032⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 222030⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 223228⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 220826⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 220024⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 224422⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 220820⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 222818⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 217216⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 225214⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 222412⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 195610⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 22048⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 22326⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 22244⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zO86358FE8\VaporWave2-1.exe"C:\Users\Admin\AppData\Local\Temp\7zO86358FE8\VaporWave2-1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\7zO863500E8\VaporWave2-1.exe"C:\Users\Admin\AppData\Local\Temp\7zO863500E8\VaporWave2-1.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\7zO863565E8\VaporWave2-1.exe"C:\Users\Admin\AppData\Local\Temp\7zO863565E8\VaporWave2-1.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 684 -ip 6841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 768 -ip 7681⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ur a skid.txt1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3948 -ip 39481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3156 -ip 31561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3792 -ip 37921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2224 -ip 22241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4048 -ip 40481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2992 -ip 29921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 680 -ip 6801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2604 -ip 26041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1504 -ip 15041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4688 -ip 46881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1664 -ip 16641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4964 -ip 49641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4048 -ip 40481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2736 -ip 27361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2396 -ip 23961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4708 -ip 47081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5052 -ip 50521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 180 -ip 1801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3632 -ip 36321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1936 -ip 19361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2304 -ip 23041⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4260 -ip 42601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5032 -ip 50321⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1396 -ip 13961⤵
-
C:\Windows\System32\ip2t47.exe"C:\Windows\System32\ip2t47.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3548 -ip 35481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3188 -ip 31881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1388 -ip 13881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2592 -ip 25921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4312 -ip 43121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1088 -ip 10881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2960 -ip 29601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2840 -ip 28401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 400 -ip 4001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5048 -ip 50481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4164 -ip 41641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4500 -ip 45001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3884 -ip 38841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3276 -ip 32761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4552 -ip 45521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3728 -ip 37281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4700 -ip 47001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2604 -ip 26041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2356 -ip 23561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1868 -ip 18681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5064 -ip 50641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4248 -ip 42481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1404 -ip 14041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 776 -ip 7761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1556 -ip 15561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1212 -ip 12121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3164 -ip 31641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4872 -ip 48721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2260 -ip 22601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2520 -ip 25201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2968 -ip 29681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4388 -ip 43881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4580 -ip 45801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5012 -ip 50121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1820 -ip 18201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4104 -ip 41041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2452 -ip 24521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1676 -ip 16761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 812 -ip 8121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3112 -ip 31121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1448 -ip 14481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1248 -ip 12481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1052 -ip 10521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3732 -ip 37321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3192 -ip 31921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3868 -ip 38681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1704 -ip 17041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1476 -ip 14761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 960 -ip 9601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1900 -ip 19001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1884 -ip 18841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3532 -ip 35321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4020 -ip 40201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1708 -ip 17081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 224 -ip 2241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2384 -ip 23841⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
Filesize
701B
MD55de8527438c860bfa3140dc420a03e52
SHA1235af682986b3292f20d8d71a8671353f5d6e16d
SHA256d9d92cd6e7a4507912965138b8d1eabb3f188f4dfcb61115ee99dc2c0fd43a92
SHA51277c3a774a2235c55ad520f1bf0c71fa3d3f0e7cf478a78e0d4dd6d253ee12a9859acc9ee822664467387788a2655a18373c8fcf08ea0d001549d3d4391b00bf8
-
Filesize
208B
MD59bcf210785e3770e10b0be2d6189763f
SHA16bd9e868796c99002b9cba61687112b860c1beff
SHA2562fc3ae5c8c4b1efa651018b4038a9524ef17de1bbecfd4ed89895a24ee99245a
SHA5129f020dd9f3e0c4003eeb14baae6a73c2e1820366cef05f1a551597a9c63cf574447e8bdde3b905966dba53e1734ed141554f3f0e34f2c77620c6297eac1f66b1
-
Filesize
208B
MD5a1358b8d33679c4fb9e5f33e9ff560a9
SHA1f960ac37959b7ad70dcdb48cee53dceb0b73c7f4
SHA256927836e7d20b7617320c785f301beee56088feb666346410ea529b0184f9f362
SHA51285620d5d905d57dca358134cf8568acb9e208114913da090d54628519eeb4da42b262a6875b5e3c90febb486bdcb6fcf61d3a1a1514a457d714c46cba8397b12
-
Filesize
208B
MD52469b4312bf74e25fe710efaca7fcec4
SHA122218db94726a9abbea7a822a2e7aa3a6ad441b2
SHA2564b1b770a11b9539e090b5c365eae0e57e9197005435038c1815f1a4f328f2007
SHA512c73c64b26c03fa9bf4beb9fae727fccd66c594c3b6ae65bf09723abfd395cfb3181a3b0c6d1b31c610ff47488f3c8f52211b1aa930c78c5fc191a760b343194b
-
Filesize
208B
MD551808e86fb31c5eed37dcdd3315b8de9
SHA116946188601e19bba017de3cb554dcdc9a5d2217
SHA2564bb5882a1083c82da18fa69051901785d9f81a86dd7923b3112032eda3652f1c
SHA51261e8af8d67f6d164684059fcb6c872f3434beb34bbf12f99b859097234ef0df59f76f9c1064dda59fcf73289bfd49465dbdf983ae84f792b4a84dd9073fcc6bb
-
Filesize
208B
MD5a25d67c4707b6e07bc4977215da1ef0d
SHA13f460f81e4cd59926c01e5ce75b8f96bbb319d9c
SHA256a268e577908155866e0c90735554788d7d9ce2aa1eb84ee1ab46345e6f852846
SHA512f3f18c2db0441f749bb37b1554196ee7ef03299264bed8f0bb3b09f3e9b07b52207a6fefc9940fa9a080d1a87131b25319a196f4eb573237abaae1bd2ce7ac26
-
Filesize
208B
MD5a8dd47e3420c7fbc5c998bf4790a3074
SHA15409af543788ef86383545891361ef50b83011f6
SHA25684a13c0f09e1dac6f98459c07fb1e82b5ca939ccd1c8db827500ecda88adee01
SHA5120454d8581e481651cecaf0c76d8799c2f32afabec26531859b3e993d8865b77e29a97ebcf36497e397c330acfe648ca97a86c7dcfc400cbb245c1616d234855a
-
Filesize
208B
MD581389779a7a53cac73877aaa15e8de4c
SHA1500cf7fa51bb779e86494dfdb9cab56fefd5eba3
SHA25680d5f4eaffbf6b845a6c4f8888135568c22df5c196dcdd066549252e41f56134
SHA51270458a5391f40493ba1e33e6fe2dda74647dd5bc1826a9e31a8209187cbe9a0706728e58cc023767f613f05cba02a4f4a54cc165dd70db2c1d4e4d48489776a9
-
Filesize
208B
MD564b7c2d604ee3b6d78750f3bafab5c38
SHA1e3c3adb7349e7b7fef346d467cf0a5b55aabb7d8
SHA256bbb7bc5a76ea25b78c99cfac669cd50b743cb65dcdbf2a09e730ece9fc350233
SHA512eb674d5478c70b5305f2b9305564c3119b14d4ff0a196f29093af7c5b8e684b107b0a3a112eefb0fd87e01b1a19e9ed9b4d5a8578f3409c5d5888b6127d9e773
-
Filesize
208B
MD5705847f3d461dbf1b7c883ea41015071
SHA15ceea492434d711e80b6d79c93d57d63bc214e56
SHA25619ad78f40582910bd3ee67d84df538e77b46ec5b0744f761298230ff42ed970e
SHA5123f789b0407d885147c452aec43ce2dcc574828340919296a82679f5002adc3449c7c96c3262e6cf4eff865b9716c9cd92c852055cb2c739c085a9d28ce8b9cf5
-
Filesize
208B
MD52a8edadbba4290e809a0a88dcd832a46
SHA1a5d6f66400b1c5654ede6a3e01274e00561a9c7d
SHA25616f67c6d8bee9f7a7b1d24ec2a9a3e2b3d36e6d059c26b090b2e614cffd55fd7
SHA512d6551ee68f62444da45af62525dfcc13a4202d0b22bf50a2f2eff1fd99f92fb1b9a320133c12cd23b84a135cd37cc876d16754a0ffa3ea202744af581c7b5c6d
-
Filesize
224B
MD5e13ab6d6f781a59b97e6f45d21a6f310
SHA1d5cdaea2d63697e3b91780d3343f3217066fda03
SHA256baaf5c264312434e4aff3edccbe696f558f26b4156e8c8509e991389ea268344
SHA51265a8c0fc006736b7c3ceb456d36de4c0571a760da5da2b798d311e0b23d77bb58c8acd11d2c7a1067bbe6c42303e1f062dd8a88e605f1355dc34611846956d16
-
Filesize
224B
MD58d77d8ddbed5ddcb08b61159e7df8d3f
SHA1109b7085808169109e39c6074fff2452aab26384
SHA256c4cfa6b990d50fe1c1c7c8657a3b6179e15508b397848684cd55db36f6cc1000
SHA5125a22a6414e66235d28578ac76193c38ab73b88f6e5366f3718813be21dba459d517b3ff455d1936a67bf0d462b9d3d2f82610de5aefd9107ad675516969af619
-
Filesize
224B
MD57eeb7719f687a72a349517f338652bd8
SHA1eb956280ccc8725a0387dc24000c027786c1f547
SHA25673aa857c5a23be558230722696336a67daa273cac24ca5ad6259b502bd9eb076
SHA51292ffd50352f18150d7a924d649393242e417c0fe967716b62be1e652d6a45fd2c2d7d17c6f510c5763c580099c01d05a2c0594f6dacd8bd42146e2343275ca1e
-
Filesize
224B
MD57892f6f186a9e7ada74888d6f79f1c39
SHA10d99b9ac9feae24f275910a9430a148b9285cf95
SHA2566349e776c02c2a0dc61e0bd4959167559fbd79fe271effd2e43a0edd07483702
SHA512275193c3e0d6327572bfd47277a0691e62034dd33728608ddcad85c791ea9a4b33680d7f78ea9c8cf124040de95d519f7af12c39986df6172af970b5d202dcf9
-
Filesize
224B
MD5466303d53f5f686d74476d9b01114d86
SHA1216b86377af06b516f23a934c2e056ba0911c16a
SHA25683683e03caa1cb95f8d3cb7a9505bacead032bad6e5ba1d5b0e560de7bb87a29
SHA512477286f4e3da825a3f84b4ed236b9db58d7e4f0da2a26575222d7dee3fadbd5de27f20c7f8cf82e33ed56dc8ccc9b321b8ff7323697c1700145621fcc14bfd9b
-
Filesize
224B
MD5d8d1b665f25f2b24fe905a322c73abbb
SHA11ded7a161bb2877a0608cfef51751b66aea6afbb
SHA256378ea49952997086c6b0c44189864557ab5cb83d0f8d3b6fbb87269a15d7fff2
SHA5125a0ad6c019eff79b7c9543f10fb0a126b66ee7ff6a9d45274ae9bef8179530dd9617ae219aeb57a1d699f711850b2204f122fca506d96afe78c36ecf613cde2b
-
Filesize
224B
MD5ff77fadb802a9770602b3114a338fd52
SHA1ac3d845f8ac07c7e7507849422a5ac8d74ef8460
SHA256738adc090382224b58a1f79e2fd40690883c9f72247655c42d6f2a502e372a77
SHA5127fabe18919cd87927d8d11e4ab264b00361778148a377d2f67d96cc5d23ef67327ae236c1bf35858f2506710dccc7a137804316dce89867acf18cb2035dfae5d
-
Filesize
224B
MD5748121da7702d495a7b839e5f23f0fff
SHA1bc6b60fa1f68d0b3302693d105b194378757c4f9
SHA2561956ba29dc792d2679fdb5ec4f0690b7dffae9993529520a4ea2e768348bd461
SHA5120249d4a61eb52e5004e54c979ceb1e1f4e88da01d86ea318abb8996dc196bb31471f15caabb802360cb691135700a223fbeed2b4565f47190aaf27bd66d9667c
-
Filesize
224B
MD59808b0860a35d7a066ab6c3520ab160e
SHA1e9c93d2d7d000df33e3b4b7ef922558b43c02843
SHA256900f1954c229b25f8a88bdc5f2755df57cd09b88430df5fbe1597d29f8123132
SHA5124547ab79db7b27d7466d242ecfa658892d25357f6c186ade7a24ca2204646e5d884fb6ab79736b80a5469360f83428544419277326a4c3d04fb2d3bd3d2c18ee
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
376KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
240KB
-
Filesize
7.7MB