blacknet | 00e6cd945214e899a23d2afba5c28b185037e0fc3286a78e5fb6f36668c2110b

Analysis

max time kernel
114s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2023 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TTUSD186.097,08.exe
Size

420KB
MD5

a1d2556073cf1dadf840627cedb4ee05
SHA1

0cfab6747c5d53238e3027347659a51709cf36b2
SHA256

00e6cd945214e899a23d2afba5c28b185037e0fc3286a78e5fb6f36668c2110b
SHA512

50e15027d68c37ac9880276a26c45dc3660fc4d93fbb9e3c35b8f77f1648880f54475444753a5f5346597bd8e331313147fe8ba7cb8f0d34dfdd645a6593efdb
SSDEEP

12288:cUEUGtlUW0rjwfas//M4Zjvz4G9TDMn6fB:cU0tlh0KagvzDMn2

Score

10^/10

blacknet hacked trojan

Malware Config

Extracted

Family

blacknet

Version

v3.6.0 Public

Botnet

HacKed

http://bankslip.info/nash/

Mutex

BN[HSMeOkUf-8793677]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
a5b002eacf54590ec8401ff6d3f920ee
startup
false
usb_spread
false

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2372-137-0x0000000000400000-0x000000000041C000-memory.dmp	family_blacknet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TTUSD186.097,08.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	TTUSD186.097,08.exe

Executes dropped EXE 64 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

pid	Process
2656	cmd.exe
4608	cmd.exe
1640	cmd.exe
3740	cmd.exe
3828	cmd.exe
4592	cmd.exe
4840	cmd.exe
2840	cmd.exe
1924	cmd.exe
3760	cmd.exe
4112	cmd.exe
4060	cmd.exe
3220	cmd.exe
3400	cmd.exe
2212	cmd.exe
1944	cmd.exe
4748	cmd.exe
488	cmd.exe
3340	cmd.exe
4792	cmd.exe
4852	cmd.exe
4844	cmd.exe
2204	cmd.exe
1220	cmd.exe
648	cmd.exe
1676	cmd.exe
4664	cmd.exe
4044	cmd.exe
1808	cmd.exe
3916	cmd.exe
1116	cmd.exe
3596	cmd.exe
436	cmd.exe
4264	cmd.exe
1664	cmd.exe
1364	cmd.exe
2652	cmd.exe
4248	cmd.exe
1480	cmd.exe
4584	cmd.exe
3992	cmd.exe
4700	cmd.exe
3860	cmd.exe
2864	cmd.exe
2252	cmd.exe
4716	cmd.exe
2568	cmd.exe
1920	cmd.exe
4996	cmd.exe
4396	cmd.exe
60	cmd.exe
4784	cmd.exe
1368	cmd.exe
5124	cmd.exe
5140	cmd.exe
5288	cmd.exe
5304	cmd.exe
5364	cmd.exe
5392	cmd.exe
5400	cmd.exe
5444	cmd.exe
5476	cmd.exe
5528	cmd.exe
5544	cmd.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

TTUSD186.097,08.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 5104 set thread context of 2372	5104	TTUSD186.097,08.exe	87
PID 2656 set thread context of 1640	2656	cmd.exe	93
PID 4608 set thread context of 3828	4608	cmd.exe	94
PID 3740 set thread context of 4840	3740	cmd.exe	97
PID 4592 set thread context of 1924	4592	cmd.exe	99
PID 2840 set thread context of 4112	2840	cmd.exe	101
PID 3760 set thread context of 3220	3760	cmd.exe	103
PID 4060 set thread context of 2212	4060	cmd.exe	106
PID 3400 set thread context of 4748	3400	cmd.exe	108
PID 1944 set thread context of 3340	1944	cmd.exe	110
PID 488 set thread context of 4852	488	cmd.exe	112
PID 4792 set thread context of 2204	4792	cmd.exe	114
PID 4844 set thread context of 648	4844	cmd.exe	116
PID 1220 set thread context of 4664	1220	cmd.exe	118
PID 1676 set thread context of 1808	1676	cmd.exe	120
PID 4044 set thread context of 1116	4044	cmd.exe	122
PID 3916 set thread context of 436	3916	cmd.exe	124
PID 3596 set thread context of 1664	3596	cmd.exe	126
PID 4264 set thread context of 2652	4264	cmd.exe	128
PID 1364 set thread context of 1480	1364	cmd.exe	130
PID 4248 set thread context of 3992	4248	cmd.exe	132
PID 4584 set thread context of 3860	4584	cmd.exe	134
PID 4700 set thread context of 2252	4700	cmd.exe	136
PID 2864 set thread context of 1920	2864	cmd.exe	139
PID 4716 set thread context of 4396	4716	cmd.exe	141
PID 2568 set thread context of 1368	2568	cmd.exe	144
PID 4996 set thread context of 5288	4996	cmd.exe	147
PID 60 set thread context of 5364	60	cmd.exe	149
PID 4784 set thread context of 5400	4784	cmd.exe	151
PID 5124 set thread context of 5528	5124	cmd.exe	154
PID 5140 set thread context of 5544	5140	cmd.exe	155
PID 5304 set thread context of 5804	5304	cmd.exe	159
PID 5392 set thread context of 5872	5392	cmd.exe	161
PID 5444 set thread context of 5948	5444	cmd.exe	163
PID 5476 set thread context of 5992	5476	cmd.exe	166
PID 5552 set thread context of 6128	5552	cmd.exe	169
PID 5612 set thread context of 4272	5612	cmd.exe	170
PID 5576 set thread context of 5260	5576	cmd.exe	173
PID 5820 set thread context of 2424	5820	cmd.exe	175
PID 5888 set thread context of 5940	5888	cmd.exe	177
PID 5960 set thread context of 4896	5960	cmd.exe	179
PID 5972 set thread context of 5436	5972	cmd.exe	181
PID 6036 set thread context of 6216	6036	cmd.exe	184
PID 6096 set thread context of 6284	6096	cmd.exe	187
PID 484 set thread context of 6344	484	cmd.exe	188
PID 5256 set thread context of 6440	5256	cmd.exe	191
PID 1964 set thread context of 6504	1964	cmd.exe	193
PID 2060 set thread context of 6696	2060	cmd.exe	195
PID 376 set thread context of 6764	376	cmd.exe	197
PID 5560 set thread context of 6840	5560	cmd.exe	199
PID 1520 set thread context of 6932	1520	cmd.exe	202
PID 6184 set thread context of 6940	6184	cmd.exe	203
PID 6252 set thread context of 6956	6252	cmd.exe	204
PID 6300 set thread context of 7044	6300	cmd.exe	207
PID 6364 set thread context of 6384	6364	cmd.exe	211
PID 6412 set thread context of 4988	6412	cmd.exe	213
PID 6484 set thread context of 1916	6484	cmd.exe	215
PID 6572 set thread context of 6160	6572	cmd.exe	216
PID 6712 set thread context of 7392	6712	cmd.exe	219
PID 6788 set thread context of 7464	6788	cmd.exe	221
PID 6852 set thread context of 7528	6852	cmd.exe	223
PID 6892 set thread context of 7544	6892	cmd.exe	224
PID 6980 set thread context of 7692	6980	cmd.exe	228
PID 7020 set thread context of 7712	7020	cmd.exe	230

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 41 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
12164	12236	WerFault.exe	380
12148	11140	WerFault.exe	337
11668	10396	WerFault.exe	341
11676	540	WerFault.exe	344
3852	11200	WerFault.exe	338
11824	11328	WerFault.exe	346
11828	11464	WerFault.exe	350
776	10388	WerFault.exe	342
11824	11040	WerFault.exe	333
11756	11852	WerFault.exe	358
10976	12236	WerFault.exe	380
3852	11228	WerFault.exe	406
1596	4684	WerFault.exe	439
11080	220	WerFault.exe	438
5220	2192	WerFault.exe	411
3604	5136	WerFault.exe	447
11236	3204	WerFault.exe	423
4752	11928	WerFault.exe	427
7384	10972	WerFault.exe	426
3604	11760	WerFault.exe	428
3044	9952	WerFault.exe	429
11668	12148	WerFault.exe	479
12400	3284	WerFault.exe	491
12424	4672	WerFault.exe	437
12484	12432	WerFault.exe	503
12512	12432	WerFault.exe	503
13004	12876	WerFault.exe	519
13064	12928	WerFault.exe	521
13072	12928	WerFault.exe	521
12336	13288	WerFault.exe	534
7444	6684	WerFault.exe	489
10744	10220	WerFault.exe	488
13252	12604	WerFault.exe	510
5488	12728	WerFault.exe	516
6028	9392	WerFault.exe	575
9588	13088	WerFault.exe	578
12324	11928	WerFault.exe	549
5408	5072	WerFault.exe	551
9692	13188	WerFault.exe	557
1160	3328	WerFault.exe	555
13192	5688	WerFault.exe	591

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

TTUSD186.097,08.exe

pid	Process
2372	TTUSD186.097,08.exe

Suspicious behavior: SetClipboardViewer 64 IoCs

Processes:

pid	Process
3828	cmd.exe
4840	cmd.exe
1924	cmd.exe
4112	cmd.exe
3220	cmd.exe
2212	cmd.exe
4748	cmd.exe
3340	cmd.exe
4852	cmd.exe
2204	cmd.exe
648	cmd.exe
4664	cmd.exe
1808	cmd.exe
1116	cmd.exe
436	cmd.exe
1664	cmd.exe
2652	cmd.exe
1480	cmd.exe
3992	cmd.exe
3860	cmd.exe
2252	cmd.exe
1920	cmd.exe
4396	cmd.exe
1368	cmd.exe
5288	cmd.exe
5364	cmd.exe
5400	cmd.exe
5528	cmd.exe
5544	cmd.exe
5804	cmd.exe
5872	cmd.exe
5992	cmd.exe
5948	cmd.exe
6128	cmd.exe
5260	cmd.exe
4272	cmd.exe
2424	cmd.exe
5940	cmd.exe
4896	cmd.exe
5436	cmd.exe
6216	cmd.exe
6284	cmd.exe
6344	cmd.exe
6440	cmd.exe
6504	cmd.exe
6696	cmd.exe
6764	cmd.exe
6840	cmd.exe
6932	cmd.exe
6956	cmd.exe
6940	cmd.exe
6384	cmd.exe
7044	cmd.exe
4988	cmd.exe
1916	cmd.exe
6160	cmd.exe
7392	cmd.exe
7464	cmd.exe
7528	cmd.exe
7544	cmd.exe
7692	cmd.exe
7712	cmd.exe
7824	cmd.exe
7916	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

TTUSD186.097,08.exe

description	pid	Process
Token: SeDebugPrivilege	2372	TTUSD186.097,08.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

TTUSD186.097,08.exe

pid	Process
2372	TTUSD186.097,08.exe
2372	TTUSD186.097,08.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TTUSD186.097,08.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 5104 wrote to memory of 2372	5104	TTUSD186.097,08.exe	87
PID 5104 wrote to memory of 2372	5104	TTUSD186.097,08.exe	87
PID 5104 wrote to memory of 2372	5104	TTUSD186.097,08.exe	87
PID 5104 wrote to memory of 2372	5104	TTUSD186.097,08.exe	87
PID 5104 wrote to memory of 2372	5104	TTUSD186.097,08.exe	87
PID 5104 wrote to memory of 2372	5104	TTUSD186.097,08.exe	87
PID 5104 wrote to memory of 2372	5104	TTUSD186.097,08.exe	87
PID 5104 wrote to memory of 2372	5104	TTUSD186.097,08.exe	87
PID 5104 wrote to memory of 2656	5104	TTUSD186.097,08.exe	88
PID 5104 wrote to memory of 2656	5104	TTUSD186.097,08.exe	88
PID 5104 wrote to memory of 2656	5104	TTUSD186.097,08.exe	88
PID 5104 wrote to memory of 4608	5104	TTUSD186.097,08.exe	89
PID 5104 wrote to memory of 4608	5104	TTUSD186.097,08.exe	89
PID 5104 wrote to memory of 4608	5104	TTUSD186.097,08.exe	89
PID 2656 wrote to memory of 1640	2656	cmd.exe	93
PID 2656 wrote to memory of 1640	2656	cmd.exe	93
PID 2656 wrote to memory of 1640	2656	cmd.exe	93
PID 2656 wrote to memory of 1640	2656	cmd.exe	93
PID 2656 wrote to memory of 1640	2656	cmd.exe	93
PID 2656 wrote to memory of 1640	2656	cmd.exe	93
PID 2656 wrote to memory of 1640	2656	cmd.exe	93
PID 2656 wrote to memory of 1640	2656	cmd.exe	93
PID 4608 wrote to memory of 3828	4608	cmd.exe	94
PID 4608 wrote to memory of 3828	4608	cmd.exe	94
PID 4608 wrote to memory of 3828	4608	cmd.exe	94
PID 2656 wrote to memory of 3740	2656	cmd.exe	96
PID 2656 wrote to memory of 3740	2656	cmd.exe	96
PID 2656 wrote to memory of 3740	2656	cmd.exe	96
PID 4608 wrote to memory of 3828	4608	cmd.exe	94
PID 4608 wrote to memory of 3828	4608	cmd.exe	94
PID 4608 wrote to memory of 3828	4608	cmd.exe	94
PID 4608 wrote to memory of 3828	4608	cmd.exe	94
PID 4608 wrote to memory of 3828	4608	cmd.exe	94
PID 4608 wrote to memory of 4592	4608	cmd.exe	95
PID 4608 wrote to memory of 4592	4608	cmd.exe	95
PID 4608 wrote to memory of 4592	4608	cmd.exe	95
PID 3740 wrote to memory of 4840	3740	cmd.exe	97
PID 3740 wrote to memory of 4840	3740	cmd.exe	97
PID 3740 wrote to memory of 4840	3740	cmd.exe	97
PID 3740 wrote to memory of 4840	3740	cmd.exe	97
PID 3740 wrote to memory of 4840	3740	cmd.exe	97
PID 3740 wrote to memory of 4840	3740	cmd.exe	97
PID 3740 wrote to memory of 4840	3740	cmd.exe	97
PID 3740 wrote to memory of 4840	3740	cmd.exe	97
PID 3740 wrote to memory of 2840	3740	cmd.exe	98
PID 3740 wrote to memory of 2840	3740	cmd.exe	98
PID 3740 wrote to memory of 2840	3740	cmd.exe	98
PID 4592 wrote to memory of 1924	4592	cmd.exe	99
PID 4592 wrote to memory of 1924	4592	cmd.exe	99
PID 4592 wrote to memory of 1924	4592	cmd.exe	99
PID 4592 wrote to memory of 1924	4592	cmd.exe	99
PID 4592 wrote to memory of 1924	4592	cmd.exe	99
PID 4592 wrote to memory of 1924	4592	cmd.exe	99
PID 4592 wrote to memory of 1924	4592	cmd.exe	99
PID 4592 wrote to memory of 1924	4592	cmd.exe	99
PID 4592 wrote to memory of 3760	4592	cmd.exe	100
PID 4592 wrote to memory of 3760	4592	cmd.exe	100
PID 4592 wrote to memory of 3760	4592	cmd.exe	100
PID 2840 wrote to memory of 4112	2840	cmd.exe	101
PID 2840 wrote to memory of 4112	2840	cmd.exe	101
PID 2840 wrote to memory of 4112	2840	cmd.exe	101
PID 2840 wrote to memory of 4112	2840	cmd.exe	101
PID 2840 wrote to memory of 4112	2840	cmd.exe	101
PID 2840 wrote to memory of 4112	2840	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\TTUSD186.097,08.exe
"C:\Users\Admin\AppData\Local\Temp\TTUSD186.097,08.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\TTUSD186.097,08.exe
  "C:\Users\Admin\AppData\Local\Temp\TTUSD186.097,08.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2372
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
    3⤵
    - Executes dropped EXE
    PID:1640
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3740
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: SetClipboardViewer
      PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:4112
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4060
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2212
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5304
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        16⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:5804
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        16⤵
        Suspicious use of SetThreadContext
        
        PID:5820
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        17⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        17⤵
        Suspicious use of SetThreadContext
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        18⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:6696
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        18⤵
        Suspicious use of SetThreadContext
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        19⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:7392
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        19⤵
        
        PID:7404
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        20⤵
        
        PID:8264
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        20⤵
        
        PID:8280
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        21⤵
        
        PID:9276
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        21⤵
        
        PID:9292
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        22⤵
        
        PID:10424
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        22⤵
        
        PID:10440
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        23⤵
        
        PID:11708
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        23⤵
        
        PID:11728
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        23⤵
        
        PID:12096
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        23⤵
        
        PID:11928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11928 -s 856
        24⤵
        Program crash
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        22⤵
        
        PID:12812
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        23⤵
        
        PID:5768
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        23⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        17⤵
        
        PID:9572
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        17⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        15⤵
        
        PID:10848
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        16⤵
        
        PID:12304
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C The type initializer for '' threw an exception.C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        17⤵
        
        PID:13208
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        14⤵
        
        PID:11876
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        15⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 1100
        16⤵
        Program crash
        
        PID:12400
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        15⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        16⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        17⤵
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        13⤵
        
        PID:12236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12236 -s 840
        14⤵
        Program crash
        
        PID:12164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12236 -s 860
        14⤵
        Program crash
        
        PID:10976
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        13⤵
        
        PID:11948
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        12⤵
        
        PID:12012
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        12⤵
        
        PID:12088
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        11⤵
        
        PID:10720
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "\svchost"
        12⤵
        
        PID:12100
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'\svchost\svchost.exe'" /f
        12⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        13⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5136 -s 892
        14⤵
        Program crash
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        13⤵
        
        PID:11824
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        14⤵
        
        PID:12736
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        14⤵
        
        PID:12768
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        15⤵
        
        PID:13280
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        15⤵
        
        PID:12128
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        10⤵
        
        PID:9552
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:10700
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:10740
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        11⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 984
        12⤵
        Program crash
        
        PID:5220
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        11⤵
        
        PID:12572
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        12⤵
        
        PID:13060
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        10⤵
        
        PID:10092
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        9⤵
        
        PID:8492
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:9564
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:9604
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:10788
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:10828
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        12⤵
        
        PID:12180
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        12⤵
        
        PID:12196
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        12⤵
        
        PID:11732
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        13⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        13⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        8⤵
        
        PID:7588
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:8512
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:8556
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:9640
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:9712
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:10936
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:11040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11040 -s 848
        12⤵
        Program crash
        
        PID:11824
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        11⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9952 -s 876
        12⤵
        Program crash
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        11⤵
        
        PID:8624
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        12⤵
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        7⤵
        Suspicious use of SetThreadContext
        
        PID:6892
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:7544
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:7580
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:8416
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:8476
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:9464
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:9504
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:10604
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:10660
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        12⤵
        
        PID:11956
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        12⤵
        
        PID:11984
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        6⤵
        Suspicious use of SetThreadContext
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:6932
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        
        PID:6988
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:7880
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:7944
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:8916
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:8984
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:10132
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:10200
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:11312
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:11380
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        11⤵
        
        PID:12268
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        11⤵
        
        PID:9892
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        12⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        12⤵
        
        PID:12148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12148 -s 808
        13⤵
        Program crash
        
        PID:11668
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        12⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6684 -s 812
        13⤵
        Program crash
        
        PID:7444
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        10⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:432
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        6⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 808
        7⤵
        Program crash
        
        PID:13192
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        5⤵
        Suspicious use of SetThreadContext
        
        PID:5960
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:4896
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:5560
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:6840
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        Suspicious use of SetThreadContext
        
        PID:6852
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:7528
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:7552
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:8404
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:8428
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:9452
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:9476
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:10596
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:10628
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        12⤵
        
        PID:11920
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        12⤵
        
        PID:11936
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        6⤵
        
        PID:9260
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        5⤵
        
        PID:13044
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:5476
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:5992
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:6036
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:6216
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:6300
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:7044
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        
        PID:7148
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:7916
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:7968
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:8904
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:8968
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:10112
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:10168
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:10804
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 812
        12⤵
        Program crash
        
        PID:11676
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        11⤵
        
        PID:10956
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        11⤵
        
        PID:8688
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        10⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:13288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 13288 -s 776
        12⤵
        Program crash
        
        PID:12336
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        11⤵
        
        PID:12040
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        12⤵
        
        PID:9392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9392 -s 688
        13⤵
        Program crash
        
        PID:6028
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        11⤵
        
        PID:6016
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        6⤵
        
        PID:12380
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        5⤵
        
        PID:3328
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 840
        6⤵
        Program crash
        
        PID:1160
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
      4⤵
      PID:12524
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4784
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: SetClipboardViewer
      PID:5400
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:5444
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:5948
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:5972
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:5436
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:6184
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:6940
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        Suspicious use of SetThreadContext
        
        PID:6980
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:7692
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:7752
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:8764
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:10000
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:10056
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:11256
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:10388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10388 -s 908
        12⤵
        Program crash
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        11⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        12⤵
        
        PID:11200
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        11⤵
        
        PID:11236
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        12⤵
        
        PID:12928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12928 -s 860
        13⤵
        Program crash
        
        PID:13064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12928 -s 860
        13⤵
        Program crash
        
        PID:13072
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        12⤵
        
        PID:12948
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        12⤵
        
        PID:12996
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        12⤵
        
        PID:13056
        
        C:\Windows\SysWOW64\fondue.exe
        
        "C:\Windows\system32\fondue.exe" /enable-feature: /caller-name:mscoreei.dll
        13⤵
        
        PID:13092
        
        C:\Windows\system32\FonDUE.EXE
        
        "C:\Windows\sysnative\FonDUE.EXE" /enable-feature: /caller-name:mscoreei.dll
        14⤵
        
        PID:12344
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        10⤵
        
        PID:13108
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:8252
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:8704
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        6⤵
        
        PID:5372
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        6⤵
        
        PID:9256
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        5⤵
        
        PID:13000
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      PID:12504
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
    3⤵
    PID:4672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 824
      4⤵
      Program crash
      PID:12424
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:3828
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: SetClipboardViewer
      PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3760
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:3220
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3400
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:4748
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:488
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        16⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:5872
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        16⤵
        Suspicious use of SetThreadContext
        
        PID:5888
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        17⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:5940
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        17⤵
        Suspicious use of SetThreadContext
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        18⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:6764
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        18⤵
        Suspicious use of SetThreadContext
        
        PID:6788
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        19⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:7464
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        19⤵
        
        PID:7472
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        20⤵
        
        PID:8332
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        20⤵
        
        PID:8352
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        21⤵
        
        PID:9332
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        21⤵
        
        PID:9356
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        22⤵
        
        PID:10500
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        22⤵
        
        PID:10516
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        23⤵
        
        PID:11832
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        23⤵
        
        PID:11852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11852 -s 860
        24⤵
        Program crash
        
        PID:11756
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        23⤵
        
        PID:9668
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        24⤵
        
        PID:9788
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        24⤵
        
        PID:12128
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        24⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        25⤵
        
        PID:13180
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        25⤵
        
        PID:13192
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        25⤵
        
        PID:13264
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        25⤵
        
        PID:12296
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        23⤵
        
        PID:12320
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        24⤵
        
        PID:12424
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        24⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        17⤵
        
        PID:13264
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        16⤵
        
        PID:11928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11928 -s 896
        17⤵
        Program crash
        
        PID:12324
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        15⤵
        
        PID:12416
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        16⤵
        
        PID:12096
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        16⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 912
        17⤵
        Program crash
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        14⤵
        
        PID:11676
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        15⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        15⤵
        
        PID:12304
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        15⤵
        
        PID:12384
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        15⤵
        
        PID:12432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12432 -s 896
        16⤵
        Program crash
        
        PID:12484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12432 -s 420
        16⤵
        Program crash
        
        PID:12512
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        14⤵
        
        PID:12728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12728 -s 908
        15⤵
        Program crash
        
        PID:5488
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        13⤵
        
        PID:10996
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        13⤵
        
        PID:10972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10972 -s 904
        14⤵
        Program crash
        
        PID:7384
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        11⤵
        
        PID:10848
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        11⤵
        
        PID:12128
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        10⤵
        
        PID:9664
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:10856
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:10912
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        11⤵
        
        PID:12152
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        11⤵
        
        PID:10192
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        10⤵
        
        PID:11760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11760 -s 808
        11⤵
        Program crash
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        9⤵
        
        PID:8624
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:9744
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:9788
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:10960
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:11012
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        11⤵
        
        PID:12104
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        12⤵
        
        PID:10616
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        12⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        11⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        10⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        9⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        8⤵
        
        PID:7700
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:8576
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:8648
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:9828
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:9888
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:11116
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:11200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11200 -s 876
        12⤵
        Program crash
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        11⤵
        
        PID:11928
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        11⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        10⤵
        
        PID:11964
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        10⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 816
        11⤵
        Program crash
        
        PID:11236
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        7⤵
        Suspicious use of SetThreadContext
        
        PID:7020
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:7712
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:7768
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:8672
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:8720
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:9820
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:9868
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:11108
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:11140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11140 -s 816
        12⤵
        Program crash
        
        PID:12148
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        11⤵
        
        PID:11404
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'\svchost\svchost.exe'" /f
        12⤵
        
        PID:9696
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "\svchost\svchost.exe"
        12⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        11⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        12⤵
        
        PID:12876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12876 -s 1072
        13⤵
        Program crash
        
        PID:13004
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        12⤵
        
        PID:12892
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        13⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        13⤵
        
        PID:1752
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        6⤵
        Suspicious use of SetThreadContext
        
        PID:6252
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:6956
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        
        PID:7024
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:7824
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:7864
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:8744
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:8828
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:9924
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:9980
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:11208
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:10396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10396 -s 824
        12⤵
        Program crash
        
        PID:11668
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        5⤵
        Suspicious use of SetThreadContext
        
        PID:6096
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:6284
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:6364
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:6384
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        
        PID:6644
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:8008
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:8060
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:9016
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:9068
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:10148
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:10236
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:11268
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:11328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11328 -s 816
        12⤵
        Program crash
        
        PID:11824
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        5⤵
        
        PID:13188
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 13188 -s 856
        6⤵
        Program crash
        
        PID:9692
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      Suspicious use of SetThreadContext
      PID:5552
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:6128
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:484
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:6344
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:6412
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:8104
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:8180
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:9144
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:9180
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:9484
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:11416
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:11464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11464 -s 868
        12⤵
        Program crash
        
        PID:11828
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        5⤵
        
        PID:13200
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
      4⤵
      PID:12604
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12604 -s 812
        5⤵
        Program crash
        
        PID:13252
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5124
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: SetClipboardViewer
      PID:5528
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      4⤵
      Suspicious use of SetThreadContext
      PID:5576
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:5260
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1964
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:6504
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:6572
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:6160
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        
        PID:7240
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:8152
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:7388
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:9200
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:9860
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:11516
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:11616
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        11⤵
        
        PID:12096
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        11⤵
        
        PID:12156
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        10⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:10728
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:11044
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        12⤵
        
        PID:7384
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        12⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10220 -s 884
        13⤵
        Program crash
        
        PID:10744
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        12⤵
        
        PID:9432
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        12⤵
        
        PID:13088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 13088 -s 840
        13⤵
        Program crash
        
        PID:9588
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      PID:12636
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
      4⤵
      PID:12688
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
    3⤵
    PID:220
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 724
      4⤵
      Program crash
      PID:11080
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2568
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:1368
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5140
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: SetClipboardViewer
      PID:5544
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      4⤵
      Suspicious use of SetThreadContext
      PID:5612
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:4272
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:5256
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:6440
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:6484
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        
        PID:7176
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:8136
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:7340
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:9160
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:8228
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:10024
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:11492
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:11548
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        5⤵
        
        PID:5408
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      PID:12644
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
      4⤵
      PID:12696
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    PID:4684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 764
      4⤵
      Program crash
      PID:1596
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
    3⤵
    PID:12136
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\TTUSD186.097,08.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  PID:11228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 11228 -s 784
    3⤵
    - Program crash
    PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 11200 -ip 11200
1⤵
PID:12156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 11852 -ip 11852
1⤵
PID:12128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 11920 -ip 11920
1⤵
PID:11348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 10912 -ip 10912
1⤵
PID:12260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 11040 -ip 11040
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 12088 -ip 12088
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 10740 -ip 10740
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 12100 -ip 12100
1⤵
PID:11764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 12268 -ip 12268
1⤵
PID:11232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 12096 -ip 12096
1⤵
PID:12168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 10996 -ip 10996
1⤵
PID:12136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 11140 -ip 11140
1⤵
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 540 -ip 540
1⤵
PID:10916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 220 -ip 220
1⤵
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2192 -ip 2192
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 3204 -ip 3204
1⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 5136 -ip 5136
1⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 10972 -ip 10972
1⤵
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 11928 -ip 11928
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 11760 -ip 11760
1⤵
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 10956 -ip 10956
1⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 2624 -ip 2624
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 11948 -ip 11948
1⤵
PID:12160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 9952 -ip 9952
1⤵
PID:9696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 8688 -ip 8688
1⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 12148 -ip 12148
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 9788 -ip 9788
1⤵
PID:10256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 12304 -ip 12304
1⤵
PID:12340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3284 -ip 3284
1⤵
PID:12332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4336 -ip 4336
1⤵
PID:12364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 4672 -ip 4672
1⤵
PID:12376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 12432 -ip 12432
1⤵
PID:12492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 12876 -ip 12876
1⤵
PID:12984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 10220 -ip 10220
1⤵
PID:12504

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 12604 -ip 12604
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 12728 -ip 12728
1⤵
PID:11016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 13088 -ip 13088
1⤵
PID:12572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5072 -ip 5072
1⤵
PID:13200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 5688 -ip 5688
1⤵
PID:5640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
memory/436-244-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/436-264-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/648-224-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/648-242-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/1116-262-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/1640-188-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/1640-162-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1640-168-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/1664-274-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/1808-253-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/1808-234-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/1924-202-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/1944-221-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/2204-238-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/2212-203-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2212-222-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2372-160-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/2372-142-0x00000000056F0000-0x0000000005746000-memory.dmp

Filesize
344KB

Download
memory/2372-156-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/2372-139-0x0000000005420000-0x00000000054BC000-memory.dmp

Filesize
624KB

Download
memory/2372-137-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2372-140-0x0000000005560000-0x00000000055F2000-memory.dmp

Filesize
584KB

Download
memory/2372-150-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/2372-141-0x00000000054D0000-0x00000000054DA000-memory.dmp

Filesize
40KB

Download
memory/2652-275-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/2656-154-0x00000000003A0000-0x00000000003D8000-memory.dmp

Filesize
224KB

Download
memory/2656-157-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2656-174-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2840-199-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/2840-179-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/2864-277-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/3220-211-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/3220-191-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/3400-192-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/3400-212-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/3760-181-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/3760-201-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/3828-189-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3828-169-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3916-254-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/3992-265-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/4044-248-0x0000000002E90000-0x0000000002EA0000-memory.dmp

Filesize
64KB

Download
memory/4112-210-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/4248-255-0x00000000020D0000-0x00000000020E0000-memory.dmp

Filesize
64KB

Download
memory/4248-276-0x00000000020D0000-0x00000000020E0000-memory.dmp

Filesize
64KB

Download
memory/4264-263-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/4264-243-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/4592-170-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/4592-190-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/4608-158-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/4608-175-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/4664-249-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/4700-266-0x0000000004860000-0x0000000004870000-memory.dmp

Filesize
64KB

Download
memory/4748-223-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/4792-213-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/4792-231-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/4840-180-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4840-200-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4844-232-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4852-233-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/4852-214-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/5104-136-0x0000000004A90000-0x0000000004AF6000-memory.dmp

Filesize
408KB

Download
memory/5104-135-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/5104-161-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/5104-134-0x0000000004FD0000-0x0000000005574000-memory.dmp

Filesize
5.6MB

Download
memory/5104-133-0x0000000000030000-0x00000000000A0000-memory.dmp

Filesize
448KB

Download