Analysis
-
max time kernel
186s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
30-10-2022 02:09
General
-
Target
c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exe
-
Size
493KB
-
MD5
92f95308b8391412431ff90e73b480e0
-
SHA1
199133998ce838f138a3fc628a35c42ae3503e51
-
SHA256
c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98
-
SHA512
48a3079c31361d4080b90b33c4e95fe0eeefded7689a4610c27f0da79a2ab4730982b6157dc4eb80a3cd521ec95080c509512c3bf320f6b3de4543857fcb09e8
-
SSDEEP
12288:3uJ3pPSKKW4uAfK8s9rUfoTpacMb14sxk:3uCWbAy8s9gQTkcMb1M
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
-
UAC bypass 3 TTPs 64 IoCs
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks whether UAC is enabled 1 TTPs 6 IoCs
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exe"C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\GKEIUMMc\AyoMIMQs.exe"C:\Users\Admin\GKEIUMMc\AyoMIMQs.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\ProgramData\AawUgwUc\jOkAcoQs.exe"C:\ProgramData\AawUgwUc\jOkAcoQs.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd983⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd985⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd987⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"8⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd989⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"10⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9811⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"12⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9813⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"14⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9815⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"16⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9817⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"18⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9819⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"20⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9821⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"22⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9823⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"24⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9825⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"26⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9827⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"28⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9829⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"30⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9831⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"32⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9833⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"34⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9835⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"36⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9837⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"38⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9839⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"40⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9841⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"42⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9843⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"44⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9845⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"46⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9847⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"48⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9849⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"50⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9851⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"52⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9853⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"54⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9855⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"56⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9857⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"58⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9859⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"60⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9861⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"62⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9863⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"64⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9865⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"66⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9867⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"68⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9869⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"70⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9871⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"72⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9873⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"74⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9875⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"76⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9877⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"78⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9879⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"80⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9881⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"82⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9883⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"84⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9885⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"86⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9887⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"88⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9889⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"90⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9891⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"92⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9893⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"94⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9895⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"96⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9897⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"98⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd9899⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"100⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98101⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"102⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98103⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"104⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98105⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"106⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98107⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"108⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98109⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"110⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98111⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"112⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98113⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"114⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98115⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"116⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98117⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"118⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98119⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98"120⤵
-
C:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98.exeC:\Users\Admin\AppData\Local\Temp\c810cf6e387cc3f66fd0c1b67264b729b1f3995ac3654364af652d084398fd98121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-