Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
03/10/2022, 18:41
General
-
Target
fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exe
-
Size
509KB
-
MD5
56e52149b4259610a4d13d8b5d5eebc0
-
SHA1
0d5ef726dc70c2042d40eab6fc9a0190277e7b4b
-
SHA256
fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56
-
SHA512
e3d99ac7f93196eddfd16dd2e321cbd21b2f506c467fbc16467de1172fb8fabc43058542899150d20880a94d4be8c06c203f4e85bd5dca2033773e9e772a8299
-
SSDEEP
12288:gbXvc2NgoQLebpdCxYIROscqKHmRMX+X1yEwYQg:2fyqpdMYIqHsMaEEwYQg
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
-
UAC bypass 3 TTPs 64 IoCs
-
Executes dropped EXE 3 IoCs
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 26 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exe"C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\GuwgsIcA\gCIQAgAI.exe"C:\Users\Admin\GuwgsIcA\gCIQAgAI.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\ProgramData\pKAkEUoA\XMoYYkUs.exe"C:\ProgramData\pKAkEUoA\XMoYYkUs.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd563⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd565⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd567⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"8⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd569⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"10⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5611⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"12⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5613⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"14⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5615⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"16⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5617⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"18⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5619⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"20⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5621⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"22⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5623⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"24⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5625⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"26⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5627⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"28⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5629⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"30⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5631⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"32⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5633⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"34⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5635⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"36⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5637⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"38⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5639⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"40⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5641⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"42⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5643⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"44⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5645⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"46⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5647⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"48⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5649⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"50⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5651⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"52⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5653⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"54⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5655⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"56⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5657⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"58⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5659⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"60⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5661⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"62⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5663⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"64⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5665⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"66⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5667⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"68⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5669⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"70⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5671⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"72⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5673⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"74⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5675⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"76⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5677⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"78⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5679⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"80⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5681⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"82⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5683⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"84⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5685⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"86⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5687⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"88⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5689⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"90⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5691⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"92⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5693⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"94⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5695⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"96⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5697⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"98⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd5699⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"100⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56101⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"102⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56103⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"104⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56105⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"106⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56107⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"108⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56109⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"110⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56111⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"112⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56113⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"114⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56115⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"116⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56117⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"118⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56119⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56"120⤵
-
C:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56.exeC:\Users\Admin\AppData\Local\Temp\fdaf0c004606521918d2dd481ef53c276ae151c0d452e38053b53d80282abd56121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-