blacknet | 636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a

Analysis

max time kernel
99s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09/06/2023, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe
Size

429KB
MD5

23f50c4bff4b1018a5b24dca1e9a525d
SHA1

366ae616becd1beaa884ab87659468921a32b8ab
SHA256

636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a
SHA512

3b8f205a2ae57be0635f470411afeacf4c95f83594d415bd0472f6afa0f50ed1b04e29a65e2db48b7ead45357f5aa602a8427e200b7dbedf4611a2dd062bbb16
SSDEEP

12288:uFwqoSpOurJqsoXlkY70Oti5RmgNmz5sCB:ubowfon0Wijmww

Score

10^/10

blacknet hacked trojan

Malware Config

Extracted

Family

blacknet

Version

v3.6.0 Public

Botnet

HacKed

http://bankslip.info/david/

Mutex

BN[lnUntCqW-7778345]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
a5b002eacf54590ec8401ff6d3f920ee
startup
false
usb_spread
false

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 5 IoCs

resource	yara_rule
behavioral1/memory/1252-59-0x0000000000400000-0x000000000041C000-memory.dmp	family_blacknet
behavioral1/memory/1252-60-0x0000000000400000-0x000000000041C000-memory.dmp	family_blacknet
behavioral1/memory/1252-62-0x0000000000400000-0x000000000041C000-memory.dmp	family_blacknet
behavioral1/memory/1252-65-0x0000000000400000-0x000000000041C000-memory.dmp	family_blacknet
behavioral1/memory/1252-67-0x0000000000400000-0x000000000041C000-memory.dmp	family_blacknet

Executes dropped EXE 64 IoCs

pid	Process
580	cmd.exe
1928	cmd.exe
452	cmd.exe
908	cmd.exe
364	cmd.exe
1160	cmd.exe
612	cmd.exe
1760	cmd.exe
1592	cmd.exe
1324	cmd.exe
520	cmd.exe
924	cmd.exe
1764	cmd.exe
700	cmd.exe
1148	cmd.exe
1992	cmd.exe
604	cmd.exe
856	cmd.exe
1972	cmd.exe
1796	cmd.exe
2000	cmd.exe
832	cmd.exe
2148	cmd.exe
2188	cmd.exe
2264	cmd.exe
2308	cmd.exe
2424	cmd.exe
2468	cmd.exe
2536	cmd.exe
2580	cmd.exe
2680	cmd.exe
2724	cmd.exe
2788	cmd.exe
2824	cmd.exe
2952	cmd.exe
2988	cmd.exe
3052	cmd.exe
2080	cmd.exe
2292	cmd.exe
2300	cmd.exe
2460	cmd.exe
2604	cmd.exe
2800	cmd.exe
2856	cmd.exe
2960	cmd.exe
2288	cmd.exe
2432	cmd.exe
2932	cmd.exe
2884	cmd.exe
2304	cmd.exe
2316	cmd.exe
3100	cmd.exe
3132	cmd.exe
3216	cmd.exe
3248	cmd.exe
3332	cmd.exe
3368	cmd.exe
3404	cmd.exe
3480	cmd.exe
3468	cmd.exe
3560	cmd.exe
3596	cmd.exe
3656	cmd.exe
3696	cmd.exe

Loads dropped DLL 64 IoCs

pid	Process
1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe
1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe
580	cmd.exe
580	cmd.exe
1928	cmd.exe
1928	cmd.exe
908	cmd.exe
908	cmd.exe
1160	cmd.exe
1160	cmd.exe
1760	cmd.exe
1760	cmd.exe
1324	cmd.exe
1324	cmd.exe
924	cmd.exe
924	cmd.exe
700	cmd.exe
700	cmd.exe
1992	cmd.exe
1992	cmd.exe
856	cmd.exe
856	cmd.exe
1796	cmd.exe
1796	cmd.exe
832	cmd.exe
832	cmd.exe
2188	cmd.exe
2188	cmd.exe
2308	cmd.exe
2308	cmd.exe
2468	cmd.exe
2468	cmd.exe
2580	cmd.exe
2580	cmd.exe
2724	cmd.exe
2724	cmd.exe
2824	cmd.exe
2824	cmd.exe
2988	cmd.exe
2988	cmd.exe
2080	cmd.exe
2080	cmd.exe
1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe
2300	cmd.exe
2300	cmd.exe
2604	cmd.exe
2604	cmd.exe
580	cmd.exe
2800	cmd.exe
2800	cmd.exe
1928	cmd.exe
2960	cmd.exe
2960	cmd.exe
2432	cmd.exe
2432	cmd.exe
2932	cmd.exe
2932	cmd.exe
2304	cmd.exe
2304	cmd.exe
908	cmd.exe
2316	cmd.exe
2316	cmd.exe
1160	cmd.exe
3132	cmd.exe

Suspicious use of SetThreadContext 54 IoCs

description	pid	Process	procid_target
PID 1540 set thread context of 1252	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 580 set thread context of 452	580	cmd.exe	31
PID 1928 set thread context of 364	1928	cmd.exe	33
PID 908 set thread context of 612	908	cmd.exe	35
PID 1160 set thread context of 1592	1160	cmd.exe	37
PID 1760 set thread context of 520	1760	cmd.exe	39
PID 1324 set thread context of 1764	1324	cmd.exe	41
PID 924 set thread context of 1148	924	cmd.exe	43
PID 700 set thread context of 604	700	cmd.exe	45
PID 1992 set thread context of 1972	1992	cmd.exe	47
PID 856 set thread context of 2000	856	cmd.exe	49
PID 1796 set thread context of 2148	1796	cmd.exe	51
PID 832 set thread context of 2264	832	cmd.exe	53
PID 2188 set thread context of 2424	2188	cmd.exe	55
PID 2308 set thread context of 2536	2308	cmd.exe	57
PID 2468 set thread context of 2680	2468	cmd.exe	59
PID 2580 set thread context of 2788	2580	cmd.exe	61
PID 2724 set thread context of 2952	2724	cmd.exe	63
PID 2824 set thread context of 3052	2824	cmd.exe	65
PID 2988 set thread context of 2292	2988	cmd.exe	67
PID 2080 set thread context of 2460	2080	cmd.exe	69
PID 2300 set thread context of 2856	2300	cmd.exe	72
PID 2604 set thread context of 2288	2604	cmd.exe	74
PID 2800 set thread context of 2884	2800	cmd.exe	76
PID 2960 set thread context of 3100	2960	cmd.exe	80
PID 2432 set thread context of 3216	2432	cmd.exe	82
PID 2932 set thread context of 3332	2932	cmd.exe	84
PID 2304 set thread context of 3404	2304	cmd.exe	86
PID 2316 set thread context of 3560	2316	cmd.exe	89
PID 3132 set thread context of 3696	3132	cmd.exe	92
PID 3248 set thread context of 3796	3248	cmd.exe	94
PID 3368 set thread context of 3892	3368	cmd.exe	96
PID 3480 set thread context of 3948	3480	cmd.exe	98
PID 3468 set thread context of 3972	3468	cmd.exe	99
PID 3596 set thread context of 1112	3596	cmd.exe	102
PID 3656 set thread context of 3152	3656	cmd.exe	104
PID 3728 set thread context of 1752	3728	cmd.exe	108
PID 3828 set thread context of 4084	3828	cmd.exe	110
PID 3924 set thread context of 3704	3924	cmd.exe	112
PID 4016 set thread context of 3120	4016	cmd.exe	114
PID 4076 set thread context of 4192	4076	cmd.exe	117
PID 1384 set thread context of 4272	1384	cmd.exe	119
PID 3464 set thread context of 4412	3464	cmd.exe	121
PID 3412 set thread context of 4424	3412	cmd.exe	123
PID 3356 set thread context of 4432	3356	cmd.exe	122
PID 3956 set thread context of 4756	3956	cmd.exe	128
PID 3124 set thread context of 4860	3124	cmd.exe	130
PID 3920 set thread context of 4976	3920	cmd.exe	132
PID 3168 set thread context of 5088	3168	cmd.exe	134
PID 4124 set thread context of 5100	4124	cmd.exe	135
PID 4240 set thread context of 4116	4240	cmd.exe	136
PID 4324 set thread context of 4444	4324	cmd.exe	139
PID 4472 set thread context of 916	4472	cmd.exe	142
PID 4568 set thread context of 4984	4568	cmd.exe	146

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1252	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe

Suspicious behavior: SetClipboardViewer 49 IoCs

pid	Process
364	cmd.exe
612	cmd.exe
1592	cmd.exe
520	cmd.exe
1764	cmd.exe
1148	cmd.exe
604	cmd.exe
1972	cmd.exe
2000	cmd.exe
2148	cmd.exe
2264	cmd.exe
2424	cmd.exe
2536	cmd.exe
2680	cmd.exe
2788	cmd.exe
2952	cmd.exe
3052	cmd.exe
2292	cmd.exe
2460	cmd.exe
2856	cmd.exe
2288	cmd.exe
2884	cmd.exe
3100	cmd.exe
3216	cmd.exe
3332	cmd.exe
3404	cmd.exe
3560	cmd.exe
3696	cmd.exe
3796	cmd.exe
3948	cmd.exe
3972	cmd.exe
1112	cmd.exe
3892	cmd.exe
3152	cmd.exe
1752	cmd.exe
4084	cmd.exe
3704	cmd.exe
3120	cmd.exe
4192	cmd.exe
4272	cmd.exe
4424	cmd.exe
4432	cmd.exe
4412	cmd.exe
4756	cmd.exe
4860	cmd.exe
4976	cmd.exe
5100	cmd.exe
4116	cmd.exe
4444	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1252	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1252	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe
1252	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 1252	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1540 wrote to memory of 1252	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1540 wrote to memory of 1252	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1540 wrote to memory of 1252	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1540 wrote to memory of 1252	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1540 wrote to memory of 1252	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1540 wrote to memory of 1252	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1540 wrote to memory of 1252	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1540 wrote to memory of 1252	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1540 wrote to memory of 1252	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1540 wrote to memory of 1252	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1540 wrote to memory of 1252	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	28
PID 1540 wrote to memory of 580	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	29
PID 1540 wrote to memory of 580	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	29
PID 1540 wrote to memory of 580	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	29
PID 1540 wrote to memory of 580	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	29
PID 1540 wrote to memory of 580	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	29
PID 1540 wrote to memory of 580	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	29
PID 1540 wrote to memory of 580	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	29
PID 1540 wrote to memory of 1928	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	30
PID 1540 wrote to memory of 1928	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	30
PID 1540 wrote to memory of 1928	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	30
PID 1540 wrote to memory of 1928	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	30
PID 1540 wrote to memory of 1928	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	30
PID 1540 wrote to memory of 1928	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	30
PID 1540 wrote to memory of 1928	1540	636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe	30
PID 580 wrote to memory of 452	580	cmd.exe	31
PID 580 wrote to memory of 452	580	cmd.exe	31
PID 580 wrote to memory of 452	580	cmd.exe	31
PID 580 wrote to memory of 452	580	cmd.exe	31
PID 580 wrote to memory of 452	580	cmd.exe	31
PID 580 wrote to memory of 452	580	cmd.exe	31
PID 580 wrote to memory of 452	580	cmd.exe	31
PID 580 wrote to memory of 452	580	cmd.exe	31
PID 580 wrote to memory of 452	580	cmd.exe	31
PID 580 wrote to memory of 452	580	cmd.exe	31
PID 580 wrote to memory of 452	580	cmd.exe	31
PID 580 wrote to memory of 452	580	cmd.exe	31
PID 580 wrote to memory of 908	580	cmd.exe	32
PID 580 wrote to memory of 908	580	cmd.exe	32
PID 580 wrote to memory of 908	580	cmd.exe	32
PID 580 wrote to memory of 908	580	cmd.exe	32
PID 580 wrote to memory of 908	580	cmd.exe	32
PID 580 wrote to memory of 908	580	cmd.exe	32
PID 580 wrote to memory of 908	580	cmd.exe	32
PID 1928 wrote to memory of 364	1928	cmd.exe	33
PID 1928 wrote to memory of 364	1928	cmd.exe	33
PID 1928 wrote to memory of 364	1928	cmd.exe	33
PID 1928 wrote to memory of 364	1928	cmd.exe	33
PID 1928 wrote to memory of 364	1928	cmd.exe	33
PID 1928 wrote to memory of 364	1928	cmd.exe	33
PID 1928 wrote to memory of 364	1928	cmd.exe	33
PID 1928 wrote to memory of 364	1928	cmd.exe	33
PID 1928 wrote to memory of 364	1928	cmd.exe	33
PID 1928 wrote to memory of 364	1928	cmd.exe	33
PID 1928 wrote to memory of 364	1928	cmd.exe	33
PID 1928 wrote to memory of 364	1928	cmd.exe	33
PID 1928 wrote to memory of 1160	1928	cmd.exe	34
PID 1928 wrote to memory of 1160	1928	cmd.exe	34
PID 1928 wrote to memory of 1160	1928	cmd.exe	34
PID 1928 wrote to memory of 1160	1928	cmd.exe	34
PID 1928 wrote to memory of 1160	1928	cmd.exe	34
PID 1928 wrote to memory of 1160	1928	cmd.exe	34
PID 1928 wrote to memory of 1160	1928	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe
"C:\Users\Admin\AppData\Local\Temp\636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Users\Admin\AppData\Local\Temp\636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe
  "C:\Users\Admin\AppData\Local\Temp\636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1252
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
    3⤵
    - Executes dropped EXE
    PID:452
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:908
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: SetClipboardViewer
      PID:612
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      PID:1760
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:520
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:924
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:1148
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        15⤵
        Suspicious use of SetThreadContext
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        16⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        16⤵
        Suspicious use of SetThreadContext
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        17⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        17⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        18⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        18⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        19⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        19⤵
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        20⤵
        
        PID:5988
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        20⤵
        
        PID:6296
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        21⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        16⤵
        
        PID:7320
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        15⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        14⤵
        
        PID:6844
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        13⤵
        
        PID:6540
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        12⤵
        
        PID:7040
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        11⤵
        
        PID:6580
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        10⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        9⤵
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:6408
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:6544
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        8⤵
        
        PID:5456
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        7⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:5560
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:5616
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:6424
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:6864
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        6⤵
        Suspicious use of SetThreadContext
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:5464
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:6416
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        5⤵
        Suspicious use of SetThreadContext
        
        PID:4016
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:3120
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:5436
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        5⤵
        
        PID:7260
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3480
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:3948
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:4076
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:4192
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:6032
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        5⤵
        
        PID:7268
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
      4⤵
      PID:6452
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: SetClipboardViewer
      PID:3332
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3368
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:3892
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:3924
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:3704
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:5344
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:5308
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:5864
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:6496
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:6796
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        5⤵
        
        PID:7208
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      PID:2660
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
    3⤵
    PID:6600
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:364
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:1160
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: SetClipboardViewer
      PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      PID:1324
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:1764
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:700
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:604
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        15⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        15⤵
        Suspicious use of SetThreadContext
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        16⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        16⤵
        Suspicious use of SetThreadContext
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        17⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        17⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        18⤵
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        18⤵
        
        PID:5232
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        19⤵
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        19⤵
        
        PID:5532
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        20⤵
        
        PID:6364
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        15⤵
        
        PID:7172
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        14⤵
        
        PID:6996
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        13⤵
        
        PID:6604
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        12⤵
        
        PID:7088
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        11⤵
        
        PID:6704
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        10⤵
        
        PID:6240
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        11⤵
        
        PID:6636
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        11⤵
        
        PID:6732
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        9⤵
        
        PID:5688
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:6516
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:6808
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        8⤵
        
        PID:5700
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:5200
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:6780
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:6976
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        7⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:5892
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:2400
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        6⤵
        Suspicious use of SetThreadContext
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:5964
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:6228
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:7020
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        5⤵
        Suspicious use of SetThreadContext
        
        PID:3412
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:4424
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:5980
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:5976
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        5⤵
        
        PID:7292
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3656
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:3152
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:3464
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:4412
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:5876
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        5⤵
        
        PID:7276
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
      4⤵
      PID:2712
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: SetClipboardViewer
      PID:3560
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3596
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:1112
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:3356
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:4432
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        
        PID:5112
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        5⤵
        
        PID:7300
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      PID:1520
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\cmd.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
    3⤵
    PID:2924
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:2884
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: SetClipboardViewer
      PID:3404
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3468
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        5⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:3972
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1384
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        6⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:4272
      - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        7⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        7⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        8⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        9⤵
        
        PID:5868
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        9⤵
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        10⤵
        
        PID:6508
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"
        10⤵
        
        PID:6820
    - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        5⤵
        
        PID:7248
  - - C:\Users\Admin\AppData\Local\Temp\cmd.exe
      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      PID:2256
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    PID:6616
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\636586494bbb8266d974ac3dd259d1290c94c96a98d00165c502aafbbca5447a.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  PID:7132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
1024KB

MD5
f42fcf497f956a3652942c352fe4106e

SHA1
f7fbf7918016b1514dec2107b35534254f37bf59

SHA256
184b53e92a87609570934502307e88bcc142b237408d85e5ee54fec4d7e0bc27

SHA512
1aaf5e4091bbaf63790dafdd148b152212c0b7f34ec049763d0de2e503bc9d308eb99d3820c3332b4457e629939f37cfc1a07ce1df2870401a4651958f6d7585

Download Submit
memory/364-100-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/452-84-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/452-83-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/452-82-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/452-85-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/452-86-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/452-87-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/452-92-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/452-94-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/452-110-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/520-157-0x0000000004840000-0x0000000004880000-memory.dmp

Filesize
256KB

Download
memory/580-74-0x0000000001350000-0x0000000001388000-memory.dmp

Filesize
224KB

Download
memory/580-78-0x0000000001160000-0x00000000011A0000-memory.dmp

Filesize
256KB

Download
memory/580-80-0x00000000002A0000-0x00000000002B8000-memory.dmp

Filesize
96KB

Download
memory/580-141-0x0000000001160000-0x00000000011A0000-memory.dmp

Filesize
256KB

Download
memory/700-172-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/908-173-0x00000000011A0000-0x00000000011E0000-memory.dmp

Filesize
256KB

Download
memory/908-109-0x00000000011A0000-0x00000000011E0000-memory.dmp

Filesize
256KB

Download
memory/916-768-0x0000000001230000-0x0000000001270000-memory.dmp

Filesize
256KB

Download
memory/924-156-0x0000000001230000-0x0000000001270000-memory.dmp

Filesize
256KB

Download
memory/924-233-0x0000000001230000-0x0000000001270000-memory.dmp

Filesize
256KB

Download
memory/1148-202-0x0000000000460000-0x00000000004A0000-memory.dmp

Filesize
256KB

Download
memory/1252-77-0x0000000000C80000-0x0000000000CC0000-memory.dmp

Filesize
256KB

Download
memory/1252-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1252-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1252-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1252-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1252-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1252-79-0x0000000000C80000-0x0000000000CC0000-memory.dmp

Filesize
256KB

Download
memory/1252-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1252-57-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1252-67-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1540-56-0x0000000000CF0000-0x0000000000E0C000-memory.dmp

Filesize
1.1MB

Download
memory/1540-55-0x0000000000C50000-0x0000000000C90000-memory.dmp

Filesize
256KB

Download
memory/1540-54-0x0000000001110000-0x0000000001182000-memory.dmp

Filesize
456KB

Download
memory/1540-111-0x0000000000C50000-0x0000000000C90000-memory.dmp

Filesize
256KB

Download
memory/1760-140-0x0000000004940000-0x0000000004980000-memory.dmp

Filesize
256KB

Download
memory/1796-232-0x0000000000210000-0x0000000000250000-memory.dmp

Filesize
256KB

Download
memory/1992-200-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/1992-264-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/2080-345-0x0000000000DB0000-0x0000000000DF0000-memory.dmp

Filesize
256KB

Download
memory/2188-248-0x0000000000B90000-0x0000000000BD0000-memory.dmp

Filesize
256KB

Download
memory/2288-557-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download
memory/2300-475-0x0000000000980000-0x00000000009C0000-memory.dmp

Filesize
256KB

Download
memory/2300-366-0x0000000000980000-0x00000000009C0000-memory.dmp

Filesize
256KB

Download
memory/2308-263-0x0000000004920000-0x0000000004960000-memory.dmp

Filesize
256KB

Download
memory/2680-323-0x0000000000EF0000-0x0000000000F30000-memory.dmp

Filesize
256KB

Download
memory/2724-322-0x0000000000BB0000-0x0000000000BF0000-memory.dmp

Filesize
256KB

Download
memory/2724-382-0x0000000000BB0000-0x0000000000BF0000-memory.dmp

Filesize
256KB

Download
memory/2788-321-0x0000000000090000-0x00000000000A8000-memory.dmp

Filesize
96KB

Download
memory/2988-334-0x0000000000EA0000-0x0000000000EE0000-memory.dmp

Filesize
256KB

Download
memory/2988-403-0x0000000000EA0000-0x0000000000EE0000-memory.dmp

Filesize
256KB

Download
memory/3132-656-0x0000000001210000-0x0000000001250000-memory.dmp

Filesize
256KB

Download
memory/3368-464-0x0000000000CF0000-0x0000000000D30000-memory.dmp

Filesize
256KB

Download
memory/4016-536-0x0000000000640000-0x0000000000680000-memory.dmp

Filesize
256KB

Download
memory/4116-760-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download
memory/4260-747-0x00000000007E0000-0x0000000000820000-memory.dmp

Filesize
256KB

Download
memory/4272-638-0x0000000000690000-0x00000000006D0000-memory.dmp

Filesize
256KB

Download
memory/4288-744-0x00000000012B0000-0x00000000012F0000-memory.dmp

Filesize
256KB

Download
memory/4412-645-0x0000000004920000-0x0000000004960000-memory.dmp

Filesize
256KB

Download
memory/4424-643-0x0000000000AD0000-0x0000000000B10000-memory.dmp

Filesize
256KB

Download
memory/4432-644-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/4444-762-0x0000000004830000-0x0000000004870000-memory.dmp

Filesize
256KB

Download
memory/4468-750-0x0000000000A50000-0x0000000000A90000-memory.dmp

Filesize
256KB

Download
memory/4472-639-0x0000000001270000-0x00000000012B0000-memory.dmp

Filesize
256KB

Download
memory/4536-642-0x0000000001290000-0x00000000012D0000-memory.dmp

Filesize
256KB

Download
memory/4568-640-0x0000000004940000-0x0000000004980000-memory.dmp

Filesize
256KB

Download
memory/4588-641-0x0000000004930000-0x0000000004970000-memory.dmp

Filesize
256KB

Download
memory/4752-758-0x0000000000CF0000-0x0000000000D30000-memory.dmp

Filesize
256KB

Download
memory/4768-783-0x00000000012A0000-0x00000000012E0000-memory.dmp

Filesize
256KB

Download
memory/4788-657-0x0000000000CD0000-0x0000000000D10000-memory.dmp

Filesize
256KB

Download
memory/4912-764-0x0000000001250000-0x0000000001290000-memory.dmp

Filesize
256KB

Download
memory/4936-765-0x0000000001290000-0x00000000012D0000-memory.dmp

Filesize
256KB

Download
memory/4984-781-0x0000000004A80000-0x0000000004AC0000-memory.dmp

Filesize
256KB

Download
memory/5000-782-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/5036-784-0x0000000004A60000-0x0000000004AA0000-memory.dmp

Filesize
256KB

Download
memory/5088-753-0x0000000004940000-0x0000000004980000-memory.dmp

Filesize
256KB

Download
memory/5100-756-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/5492-895-0x0000000004B00000-0x0000000004B40000-memory.dmp

Filesize
256KB

Download
memory/5648-900-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/6084-890-0x0000000000810000-0x0000000000850000-memory.dmp

Filesize
256KB

Download