blacknet | 12acc28c683190195fccfea230f47491c084d01f5d5fa975ba82135e1d0c8fa7

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25-05-2023 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dadsroots.exe
Size

391KB
MD5

964a8c4317b2449ce3b1ba42806e00ff
SHA1

1bc9d7cc8dff6a6d3e9c46ff1c9966521e012b38
SHA256

12acc28c683190195fccfea230f47491c084d01f5d5fa975ba82135e1d0c8fa7
SHA512

73ab80afdee2a9d753d7a30bc8da25f28310451fdc7f4f510a7d32b9d999825205604f04e665290e17cd146892635750a16e3f6f7ae45cd509de3a0996569c45
SSDEEP

12288:NozV+S8l6vJGRaIUyVVtERhJhY0YO60nz:Na+S3MMDJXeQz

Score

10^/10

blacknet hacked trojan

Malware Config

Extracted

Family

blacknet

Version

v3.6.0 Public

Botnet

HacKed

http://bankslip.info/dadsroots/

Mutex

BN[ZrDroiBx-5245469]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
a5b002eacf54590ec8401ff6d3f920ee
startup
false
usb_spread
false

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 5 IoCs

resource	yara_rule
behavioral1/memory/1744-59-0x0000000000400000-0x000000000041C000-memory.dmp	family_blacknet
behavioral1/memory/1744-60-0x0000000000400000-0x000000000041C000-memory.dmp	family_blacknet
behavioral1/memory/1744-62-0x0000000000400000-0x000000000041C000-memory.dmp	family_blacknet
behavioral1/memory/1744-65-0x0000000000400000-0x000000000041C000-memory.dmp	family_blacknet
behavioral1/memory/1744-67-0x0000000000400000-0x000000000041C000-memory.dmp	family_blacknet

Executes dropped EXE 53 IoCs

pid	Process
520	cmd.exe
872	cmd.exe
1840	cmd.exe
1320	cmd.exe
1948	cmd.exe
1164	cmd.exe
2020	cmd.exe
1348	cmd.exe
1316	cmd.exe
384	cmd.exe
1832	cmd.exe
1956	cmd.exe
1712	cmd.exe
468	cmd.exe
1836	cmd.exe
1640	cmd.exe
1620	cmd.exe
944	cmd.exe
2144	cmd.exe
2188	cmd.exe
2236	cmd.exe
2292	cmd.exe
2416	cmd.exe
2460	cmd.exe
2500	cmd.exe
2552	cmd.exe
2684	cmd.exe
2728	cmd.exe
2780	cmd.exe
2840	cmd.exe
2948	cmd.exe
2988	cmd.exe
3064	cmd.exe
2080	cmd.exe
2232	cmd.exe
2200	cmd.exe
2436	cmd.exe
2496	cmd.exe
2764	cmd.exe
2836	cmd.exe
2968	cmd.exe
1780	cmd.exe
2284	cmd.exe
2472	cmd.exe
2736	cmd.exe
796	cmd.exe
2560	cmd.exe
2940	cmd.exe
2088	cmd.exe
3120	cmd.exe
3132	cmd.exe
3260	cmd.exe
3296	cmd.exe

Loads dropped DLL 53 IoCs

pid	Process
624	dadsroots.exe
624	dadsroots.exe
520	cmd.exe
520	cmd.exe
872	cmd.exe
872	cmd.exe
1320	cmd.exe
1320	cmd.exe
1164	cmd.exe
1164	cmd.exe
1348	cmd.exe
1348	cmd.exe
384	cmd.exe
384	cmd.exe
1956	cmd.exe
1956	cmd.exe
468	cmd.exe
468	cmd.exe
1640	cmd.exe
1640	cmd.exe
944	cmd.exe
944	cmd.exe
2188	cmd.exe
2188	cmd.exe
2292	cmd.exe
2292	cmd.exe
2460	cmd.exe
2460	cmd.exe
2552	cmd.exe
2552	cmd.exe
2728	cmd.exe
2728	cmd.exe
2840	cmd.exe
2840	cmd.exe
2988	cmd.exe
2988	cmd.exe
2080	cmd.exe
2080	cmd.exe
2200	cmd.exe
2200	cmd.exe
2496	cmd.exe
2496	cmd.exe
624	dadsroots.exe
2836	cmd.exe
2836	cmd.exe
1780	cmd.exe
1780	cmd.exe
520	cmd.exe
2284	cmd.exe
2284	cmd.exe
872	cmd.exe
2736	cmd.exe
2736	cmd.exe

Suspicious use of SetThreadContext 25 IoCs

description	pid	Process	procid_target
PID 624 set thread context of 1744	624	dadsroots.exe	28
PID 520 set thread context of 1840	520	cmd.exe	32
PID 872 set thread context of 1948	872	cmd.exe	34
PID 1320 set thread context of 2020	1320	cmd.exe	36
PID 1164 set thread context of 1316	1164	cmd.exe	38
PID 1348 set thread context of 1832	1348	cmd.exe	40
PID 384 set thread context of 1712	384	cmd.exe	42
PID 1956 set thread context of 1836	1956	cmd.exe	44
PID 468 set thread context of 1620	468	cmd.exe	46
PID 1640 set thread context of 2144	1640	cmd.exe	48
PID 944 set thread context of 2236	944	cmd.exe	50
PID 2188 set thread context of 2416	2188	cmd.exe	52
PID 2292 set thread context of 2500	2292	cmd.exe	54
PID 2460 set thread context of 2684	2460	cmd.exe	56
PID 2552 set thread context of 2780	2552	cmd.exe	58
PID 2728 set thread context of 2948	2728	cmd.exe	60
PID 2840 set thread context of 3064	2840	cmd.exe	62
PID 2988 set thread context of 2232	2988	cmd.exe	64
PID 2080 set thread context of 2436	2080	cmd.exe	66
PID 2200 set thread context of 2764	2200	cmd.exe	68
PID 2496 set thread context of 2968	2496	cmd.exe	70
PID 2836 set thread context of 2472	2836	cmd.exe	73
PID 1780 set thread context of 796	1780	cmd.exe	75
PID 2284 set thread context of 2088	2284	cmd.exe	77
PID 2736 set thread context of 3260	2736	cmd.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1744	dadsroots.exe

Suspicious behavior: SetClipboardViewer 21 IoCs

pid	Process
1948	cmd.exe
2020	cmd.exe
1832	cmd.exe
1712	cmd.exe
1836	cmd.exe
1620	cmd.exe
2144	cmd.exe
2236	cmd.exe
2500	cmd.exe
2416	cmd.exe
2684	cmd.exe
2780	cmd.exe
2948	cmd.exe
3064	cmd.exe
2232	cmd.exe
2436	cmd.exe
2764	cmd.exe
2968	cmd.exe
2472	cmd.exe
796	cmd.exe
2088	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1744	dadsroots.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1744	dadsroots.exe
1744	dadsroots.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 1744	624	dadsroots.exe	28
PID 624 wrote to memory of 1744	624	dadsroots.exe	28
PID 624 wrote to memory of 1744	624	dadsroots.exe	28
PID 624 wrote to memory of 1744	624	dadsroots.exe	28
PID 624 wrote to memory of 1744	624	dadsroots.exe	28
PID 624 wrote to memory of 1744	624	dadsroots.exe	28
PID 624 wrote to memory of 1744	624	dadsroots.exe	28
PID 624 wrote to memory of 1744	624	dadsroots.exe	28
PID 624 wrote to memory of 1744	624	dadsroots.exe	28
PID 624 wrote to memory of 1744	624	dadsroots.exe	28
PID 624 wrote to memory of 1744	624	dadsroots.exe	28
PID 624 wrote to memory of 1744	624	dadsroots.exe	28
PID 624 wrote to memory of 520	624	dadsroots.exe	29
PID 624 wrote to memory of 520	624	dadsroots.exe	29
PID 624 wrote to memory of 520	624	dadsroots.exe	29
PID 624 wrote to memory of 520	624	dadsroots.exe	29
PID 624 wrote to memory of 520	624	dadsroots.exe	29
PID 624 wrote to memory of 520	624	dadsroots.exe	29
PID 624 wrote to memory of 520	624	dadsroots.exe	29
PID 624 wrote to memory of 872	624	dadsroots.exe	30
PID 624 wrote to memory of 872	624	dadsroots.exe	30
PID 624 wrote to memory of 872	624	dadsroots.exe	30
PID 624 wrote to memory of 872	624	dadsroots.exe	30
PID 624 wrote to memory of 872	624	dadsroots.exe	30
PID 624 wrote to memory of 872	624	dadsroots.exe	30
PID 624 wrote to memory of 872	624	dadsroots.exe	30
PID 520 wrote to memory of 1840	520	cmd.exe	32
PID 520 wrote to memory of 1840	520	cmd.exe	32
PID 520 wrote to memory of 1840	520	cmd.exe	32
PID 520 wrote to memory of 1840	520	cmd.exe	32
PID 520 wrote to memory of 1840	520	cmd.exe	32
PID 520 wrote to memory of 1840	520	cmd.exe	32
PID 520 wrote to memory of 1840	520	cmd.exe	32
PID 520 wrote to memory of 1840	520	cmd.exe	32
PID 520 wrote to memory of 1840	520	cmd.exe	32
PID 520 wrote to memory of 1840	520	cmd.exe	32
PID 520 wrote to memory of 1840	520	cmd.exe	32
PID 520 wrote to memory of 1840	520	cmd.exe	32
PID 520 wrote to memory of 1320	520	cmd.exe	33
PID 520 wrote to memory of 1320	520	cmd.exe	33
PID 520 wrote to memory of 1320	520	cmd.exe	33
PID 520 wrote to memory of 1320	520	cmd.exe	33
PID 520 wrote to memory of 1320	520	cmd.exe	33
PID 520 wrote to memory of 1320	520	cmd.exe	33
PID 520 wrote to memory of 1320	520	cmd.exe	33
PID 872 wrote to memory of 1948	872	cmd.exe	34
PID 872 wrote to memory of 1948	872	cmd.exe	34
PID 872 wrote to memory of 1948	872	cmd.exe	34
PID 872 wrote to memory of 1948	872	cmd.exe	34
PID 872 wrote to memory of 1948	872	cmd.exe	34
PID 872 wrote to memory of 1948	872	cmd.exe	34
PID 872 wrote to memory of 1948	872	cmd.exe	34
PID 872 wrote to memory of 1948	872	cmd.exe	34
PID 872 wrote to memory of 1948	872	cmd.exe	34
PID 872 wrote to memory of 1948	872	cmd.exe	34
PID 872 wrote to memory of 1948	872	cmd.exe	34
PID 872 wrote to memory of 1948	872	cmd.exe	34
PID 872 wrote to memory of 1164	872	cmd.exe	35
PID 872 wrote to memory of 1164	872	cmd.exe	35
PID 872 wrote to memory of 1164	872	cmd.exe	35
PID 872 wrote to memory of 1164	872	cmd.exe	35
PID 872 wrote to memory of 1164	872	cmd.exe	35
PID 872 wrote to memory of 1164	872	cmd.exe	35
PID 872 wrote to memory of 1164	872	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\dadsroots.exe
"C:\Users\Admin\AppData\Local\Temp\dadsroots.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:624
- C:\Users\Admin\AppData\Local\Temp\dadsroots.exe
  "C:\Users\Admin\AppData\Local\Temp\dadsroots.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
    3⤵
    - Executes dropped EXE
    PID:1840
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:1320
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: SetClipboardViewer
      PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      PID:1348
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:1832
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1956
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:1836
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        14⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        14⤵
        Executes dropped EXE
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        15⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        15⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        16⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        16⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        17⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        17⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        18⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        14⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        13⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        14⤵
        
        PID:6276
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        15⤵
        
        PID:6684
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        14⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        10⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        7⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:5272
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        6⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:4824
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        5⤵
        
        PID:3780
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        
        PID:3372
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:5540
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:5992
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        
        PID:4248
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      PID:3428
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        
        PID:3748
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        
        PID:3960
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        
        PID:3956
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        
        PID:4388
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
      4⤵
      PID:2220
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Executes dropped EXE
    PID:2940
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      PID:3376
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Executes dropped EXE
      PID:1316
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      PID:384
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:1712
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:468
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:1620
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        13⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        14⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        14⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        15⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        15⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        16⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        16⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        17⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        14⤵
        
        PID:5752
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        12⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        13⤵
        
        PID:5876
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        11⤵
        
        PID:5356
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        10⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        8⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        7⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:5072
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        6⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:4940
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        5⤵
        
        PID:3876
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        
        PID:3704
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      PID:3552
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        
        PID:3896
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        
        PID:4084
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        
        PID:3184
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        
        PID:4528
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        5⤵
        
        PID:6596
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
      4⤵
      PID:2276
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Executes dropped EXE
    PID:3132
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      PID:3468
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:2088
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
    3⤵
    - Executes dropped EXE
    PID:3120
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      PID:3480
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      4⤵
      PID:3588
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        
        PID:3976
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        
        PID:3196
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        
        PID:1888
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:5108
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      PID:2444
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        
        PID:6452
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\dadsroots.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  PID:5820
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
    3⤵
    PID:3044
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
    3⤵
    PID:5624

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
1⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
1⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
1⤵
PID:4648
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
  2⤵
  PID:5396

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
1⤵
PID:5184

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
1⤵
PID:5720

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
1⤵
PID:5920
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
  2⤵
  PID:5816

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
1⤵
PID:6076

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
1⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
1⤵
PID:6180

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
1⤵
PID:6312

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
1⤵
PID:6252

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
1⤵
PID:6152

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
1⤵
PID:5812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
memory/468-182-0x0000000004950000-0x0000000004990000-memory.dmp

Filesize
256KB

Download
memory/468-280-0x0000000004950000-0x0000000004990000-memory.dmp

Filesize
256KB

Download
memory/520-143-0x00000000046B0000-0x00000000046F0000-memory.dmp

Filesize
256KB

Download
memory/520-74-0x0000000000AB0000-0x0000000000AE8000-memory.dmp

Filesize
224KB

Download
memory/520-80-0x0000000000220000-0x0000000000238000-memory.dmp

Filesize
96KB

Download
memory/520-78-0x00000000046B0000-0x00000000046F0000-memory.dmp

Filesize
256KB

Download
memory/624-112-0x0000000000550000-0x0000000000590000-memory.dmp

Filesize
256KB

Download
memory/624-54-0x0000000001060000-0x00000000010C8000-memory.dmp

Filesize
416KB

Download
memory/624-55-0x0000000000550000-0x0000000000590000-memory.dmp

Filesize
256KB

Download
memory/624-56-0x0000000004A80000-0x0000000004B9C000-memory.dmp

Filesize
1.1MB

Download
memory/872-144-0x00000000041D0000-0x0000000004210000-memory.dmp

Filesize
256KB

Download
memory/1320-109-0x0000000004760000-0x00000000047A0000-memory.dmp

Filesize
256KB

Download
memory/1320-183-0x0000000004760000-0x00000000047A0000-memory.dmp

Filesize
256KB

Download
memory/1348-140-0x00000000047D0000-0x0000000004810000-memory.dmp

Filesize
256KB

Download
memory/1348-229-0x00000000047D0000-0x0000000004810000-memory.dmp

Filesize
256KB

Download
memory/1712-180-0x0000000000090000-0x00000000000A8000-memory.dmp

Filesize
96KB

Download
memory/1744-141-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/1744-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1744-77-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/1744-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1744-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1744-57-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1744-67-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1744-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1744-142-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/1744-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1744-79-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/1744-181-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/1744-164-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/1744-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1832-251-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/1832-166-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/1840-85-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1840-87-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1840-86-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1840-92-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1840-110-0x0000000004A30000-0x0000000004A70000-memory.dmp

Filesize
256KB

Download
memory/1840-84-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1840-83-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1840-94-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1840-82-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1948-216-0x0000000000760000-0x00000000007A0000-memory.dmp

Filesize
256KB

Download
memory/1948-111-0x0000000000760000-0x00000000007A0000-memory.dmp

Filesize
256KB

Download
memory/1956-250-0x0000000004820000-0x0000000004860000-memory.dmp

Filesize
256KB

Download
memory/2080-338-0x0000000004550000-0x0000000004590000-memory.dmp

Filesize
256KB

Download
memory/2144-249-0x00000000022B0000-0x00000000022F0000-memory.dmp

Filesize
256KB

Download
memory/2188-312-0x0000000004680000-0x00000000046C0000-memory.dmp

Filesize
256KB

Download
memory/2188-231-0x0000000004680000-0x00000000046C0000-memory.dmp

Filesize
256KB

Download
memory/2200-426-0x0000000004790000-0x00000000047D0000-memory.dmp

Filesize
256KB

Download
memory/2292-248-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/2416-281-0x0000000004AC0000-0x0000000004B00000-memory.dmp

Filesize
256KB

Download
memory/2436-365-0x0000000001F60000-0x0000000001FA0000-memory.dmp

Filesize
256KB

Download
memory/2560-425-0x0000000004770000-0x00000000047B0000-memory.dmp

Filesize
256KB

Download
memory/2684-374-0x00000000047D0000-0x0000000004810000-memory.dmp

Filesize
256KB

Download
memory/2684-310-0x00000000047D0000-0x0000000004810000-memory.dmp

Filesize
256KB

Download
memory/2728-372-0x0000000004720000-0x0000000004760000-memory.dmp

Filesize
256KB

Download
memory/2764-389-0x00000000045D0000-0x0000000004610000-memory.dmp

Filesize
256KB

Download
memory/2836-476-0x00000000048A0000-0x00000000048E0000-memory.dmp

Filesize
256KB

Download
memory/2836-388-0x00000000048A0000-0x00000000048E0000-memory.dmp

Filesize
256KB

Download
memory/2840-311-0x0000000004680000-0x00000000046C0000-memory.dmp

Filesize
256KB

Download
memory/2948-327-0x0000000002020000-0x0000000002060000-memory.dmp

Filesize
256KB

Download
memory/2988-326-0x00000000047A0000-0x00000000047E0000-memory.dmp

Filesize
256KB

Download
memory/3064-339-0x00000000021C0000-0x0000000002200000-memory.dmp

Filesize
256KB

Download
memory/3260-459-0x0000000004A20000-0x0000000004A60000-memory.dmp

Filesize
256KB

Download
memory/3296-601-0x00000000006C0000-0x0000000000700000-memory.dmp

Filesize
256KB

Download
memory/3296-457-0x00000000006C0000-0x0000000000700000-memory.dmp

Filesize
256KB

Download
memory/3736-504-0x00000000046E0000-0x0000000004720000-memory.dmp

Filesize
256KB

Download
memory/3736-714-0x00000000046E0000-0x0000000004720000-memory.dmp

Filesize
256KB

Download
memory/3780-508-0x0000000004860000-0x00000000048A0000-memory.dmp

Filesize
256KB

Download
memory/4052-572-0x00000000020F0000-0x0000000002130000-memory.dmp

Filesize
256KB

Download
memory/4216-649-0x00000000049E0000-0x0000000004A20000-memory.dmp

Filesize
256KB

Download
memory/4256-633-0x0000000004820000-0x0000000004860000-memory.dmp

Filesize
256KB

Download
memory/4504-647-0x0000000002180000-0x00000000021C0000-memory.dmp

Filesize
256KB

Download
memory/4576-676-0x00000000007A0000-0x00000000007E0000-memory.dmp

Filesize
256KB

Download
memory/4692-655-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download
memory/4744-681-0x00000000009B0000-0x00000000009F0000-memory.dmp

Filesize
256KB

Download
memory/4824-719-0x0000000000230000-0x0000000000270000-memory.dmp

Filesize
256KB

Download
memory/4872-686-0x0000000000A50000-0x0000000000A90000-memory.dmp

Filesize
256KB

Download
memory/5088-728-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download