92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8

Analysis

max time kernel
81s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Size

1.5MB
MD5

a440455e44db9efa20722a7c1cf1d24f
SHA1

cb514c134e0b2d211110d3de2962598fa3544de2
SHA256

92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8
SHA512

6bb8392a0044be837ec859fd20d38a2151654ec9d7e941e640b827733e7a5961e651abe4952f417c13071cceaba4ffcab27063879f5aeafe8b56626023029c42
SSDEEP

24576:Qm5EF5/i9TheNfrObfAmIC2qCuN8JsU3Aot+Ec0xMkEqqIP2ItdO:d5+q9+T3mIiqqIP2ItdO

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4736	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
5624	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
5752	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
5944	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
6124	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
6824	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
6904	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
6980	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
7140	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
6376	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
6596	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
6132	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
6964	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
7040	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
6552	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
7124	cmd.exe
7212	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
7288	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
7364	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
7440	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
7524	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
7600	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
7676	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
7752	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
7828	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
7904	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
7980	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
8056	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
8132	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
6516	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
7376	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
7588	cmd.exe
8232	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe
8216	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
8224	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad89.exe
8424	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
4764	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad83.exe
5384	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
10196	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
10212	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe
10224	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
8404	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
8304	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
5564	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
5556	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
10380	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe
10388	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
10284	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
9304	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
9848	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe
9460	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
12300	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe
13164	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
10480	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
10888	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
5124	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
12144	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
10180	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
10764	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
10944	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
8576	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad821.exe
13144	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe
3440	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe
3812	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1808-0-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/1808-8-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/1372-9-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/5080-13-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/2088-14-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/392-16-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/1772-19-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/3688-20-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/3992-21-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/4008-22-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/3736-23-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/2176-24-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/files/0x00070000000231d3-33.dat	upx
behavioral2/files/0x00070000000231e2-54.dat	upx
behavioral2/memory/2832-55-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/2708-56-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/3740-57-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/4564-58-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/4604-59-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/2792-60-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/5028-61-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/4040-62-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/files/0x00070000000231d3-63.dat	upx
behavioral2/files/0x00070000000231d3-64.dat	upx
behavioral2/files/0x00070000000231d3-66.dat	upx
behavioral2/files/0x00070000000231d3-69.dat	upx
behavioral2/files/0x00070000000231d3-70.dat	upx
behavioral2/files/0x00070000000231d3-71.dat	upx
behavioral2/files/0x00070000000231d3-68.dat	upx
behavioral2/files/0x00070000000231d3-67.dat	upx
behavioral2/files/0x00070000000231d3-72.dat	upx
behavioral2/files/0x00070000000231d3-73.dat	upx
behavioral2/files/0x00070000000231d3-78.dat	upx
behavioral2/files/0x00070000000231d3-85.dat	upx
behavioral2/files/0x00070000000231d3-95.dat	upx
behavioral2/files/0x00070000000231d3-94.dat	upx
behavioral2/files/0x00070000000231d3-93.dat	upx
behavioral2/files/0x00070000000231d3-92.dat	upx
behavioral2/files/0x00070000000231d3-91.dat	upx
behavioral2/files/0x00070000000231d5-110.dat	upx
behavioral2/memory/1372-130-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/files/0x00070000000231d3-90.dat	upx
behavioral2/memory/3976-133-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/3824-134-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/552-135-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/3644-137-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/3480-141-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/2376-140-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/4572-138-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/4140-136-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/files/0x00070000000231d3-89.dat	upx
behavioral2/memory/4136-145-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/2144-147-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/4384-149-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/memory/2156-148-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/files/0x00070000000231d3-88.dat	upx
behavioral2/files/0x00070000000231d3-87.dat	upx
behavioral2/files/0x00070000000231d3-86.dat	upx
behavioral2/memory/5528-156-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/files/0x00070000000231d3-84.dat	upx
behavioral2/memory/5752-159-0x0000000000400000-0x000000000061D000-memory.dmp	upx
behavioral2/files/0x00070000000231d3-83.dat	upx
behavioral2/files/0x00070000000231d3-82.dat	upx
behavioral2/memory/6124-162-0x0000000000400000-0x000000000061D000-memory.dmp	upx

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 32 IoCs

evasion

pid	Process
12860	taskkill.exe
13128	taskkill.exe
13252	taskkill.exe
13236	taskkill.exe
14468	taskkill.exe
8636	taskkill.exe
12868	taskkill.exe
12800	taskkill.exe
13276	taskkill.exe
13720	taskkill.exe
12828	taskkill.exe
13300	taskkill.exe
13244	taskkill.exe
12884	taskkill.exe
12752	taskkill.exe
12936	taskkill.exe
5404	taskkill.exe
12892	taskkill.exe
12852	taskkill.exe
12836	taskkill.exe
13712	taskkill.exe
10960	taskkill.exe
5288	taskkill.exe
2460	taskkill.exe
12876	taskkill.exe
12844	taskkill.exe
10488	taskkill.exe
13208	taskkill.exe
12236	taskkill.exe
12808	taskkill.exe
12952	taskkill.exe
14504	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
9492	msedge.exe
9492	msedge.exe
9492	msedge.exe
9492	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeAssignPrimaryTokenPrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeLockMemoryPrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeIncreaseQuotaPrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeMachineAccountPrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeTcbPrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeSecurityPrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeTakeOwnershipPrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeLoadDriverPrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeSystemProfilePrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeSystemtimePrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeProfSingleProcessPrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeIncBasePriorityPrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeCreatePagefilePrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeCreatePermanentPrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeBackupPrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeRestorePrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeShutdownPrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeDebugPrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeAuditPrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeSystemEnvironmentPrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeChangeNotifyPrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeRemoteShutdownPrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeUndockPrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeSyncAgentPrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeEnableDelegationPrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeManageVolumePrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeImpersonatePrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeCreateGlobalPrivilege	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: 31	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: 32	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: 33	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: 34	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: 35	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeCreateTokenPrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeAssignPrimaryTokenPrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeLockMemoryPrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeIncreaseQuotaPrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeMachineAccountPrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeTcbPrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeSecurityPrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeTakeOwnershipPrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeLoadDriverPrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeSystemProfilePrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeSystemtimePrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeProfSingleProcessPrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeIncBasePriorityPrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeCreatePagefilePrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeCreatePermanentPrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeBackupPrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeRestorePrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeShutdownPrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeDebugPrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeAuditPrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeSystemEnvironmentPrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeChangeNotifyPrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeRemoteShutdownPrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeUndockPrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeSyncAgentPrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeEnableDelegationPrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeManageVolumePrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeImpersonatePrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: SeCreateGlobalPrivilege	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
Token: 31	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 4944	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	84
PID 1808 wrote to memory of 4944	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	84
PID 4944 wrote to memory of 1372	4944	cmd.exe	86
PID 4944 wrote to memory of 1372	4944	cmd.exe	86
PID 1808 wrote to memory of 5116	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	88
PID 1808 wrote to memory of 5116	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	88
PID 5116 wrote to memory of 5080	5116	cmd.exe	89
PID 5116 wrote to memory of 5080	5116	cmd.exe	89
PID 1372 wrote to memory of 868	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	91
PID 1372 wrote to memory of 868	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	91
PID 1808 wrote to memory of 4548	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	92
PID 1808 wrote to memory of 4548	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	92
PID 1372 wrote to memory of 4792	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	93
PID 1372 wrote to memory of 4792	1372	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	93
PID 4548 wrote to memory of 2088	4548	cmd.exe	94
PID 4548 wrote to memory of 2088	4548	cmd.exe	94
PID 1808 wrote to memory of 3380	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	96
PID 1808 wrote to memory of 3380	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	96
PID 3380 wrote to memory of 392	3380	cmd.exe	97
PID 3380 wrote to memory of 392	3380	cmd.exe	97
PID 1808 wrote to memory of 4916	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	99
PID 1808 wrote to memory of 4916	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	99
PID 4916 wrote to memory of 1772	4916	cmd.exe	101
PID 4916 wrote to memory of 1772	4916	cmd.exe	101
PID 2088 wrote to memory of 4168	2088	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	100
PID 2088 wrote to memory of 4168	2088	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	100
PID 2088 wrote to memory of 2996	2088	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	105
PID 2088 wrote to memory of 2996	2088	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	105
PID 1808 wrote to memory of 4868	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	106
PID 1808 wrote to memory of 4868	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	106
PID 4868 wrote to memory of 3688	4868	cmd.exe	107
PID 4868 wrote to memory of 3688	4868	cmd.exe	107
PID 1772 wrote to memory of 3840	1772	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	111
PID 1772 wrote to memory of 3840	1772	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	111
PID 1808 wrote to memory of 1404	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	110
PID 1808 wrote to memory of 1404	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	110
PID 1404 wrote to memory of 3992	1404	cmd.exe	112
PID 1404 wrote to memory of 3992	1404	cmd.exe	112
PID 1808 wrote to memory of 3444	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	180
PID 1808 wrote to memory of 3444	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	180
PID 3444 wrote to memory of 4008	3444	Conhost.exe	115
PID 3444 wrote to memory of 4008	3444	Conhost.exe	115
PID 1808 wrote to memory of 5028	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	181
PID 1808 wrote to memory of 5028	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	181
PID 3992 wrote to memory of 2328	3992	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	118
PID 3992 wrote to memory of 2328	3992	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	118
PID 5028 wrote to memory of 3736	5028	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	119
PID 5028 wrote to memory of 3736	5028	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	119
PID 1808 wrote to memory of 4560	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	121
PID 1808 wrote to memory of 4560	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	121
PID 4560 wrote to memory of 2176	4560	cmd.exe	122
PID 4560 wrote to memory of 2176	4560	cmd.exe	122
PID 1808 wrote to memory of 3008	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	241
PID 1808 wrote to memory of 3008	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	241
PID 3736 wrote to memory of 1008	3736	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	125
PID 3736 wrote to memory of 1008	3736	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	125
PID 3008 wrote to memory of 3976	3008	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	128
PID 3008 wrote to memory of 3976	3008	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	128
PID 1808 wrote to memory of 3000	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	126
PID 1808 wrote to memory of 3000	1808	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	126
PID 3000 wrote to memory of 3824	3000	cmd.exe	129
PID 3000 wrote to memory of 3824	3000	cmd.exe	129
PID 3736 wrote to memory of 3944	3736	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	477
PID 3736 wrote to memory of 3944	3736	92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe	477

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
"C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+226792.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
      4⤵
      PID:868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe 1697209601
      4⤵
      PID:4792
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe 1697209601
        5⤵
        Executes dropped EXE
        
        PID:4736
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
        6⤵
        
        PID:5540
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
        7⤵
        Executes dropped EXE
        
        PID:5624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+41635.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe
        8⤵
        
        PID:9340
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        9⤵
        Kills process with taskkill
        
        PID:10960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe 1697209601
        8⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe 1697209601
        9⤵
        Executes dropped EXE
        
        PID:13144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe /autoup 1697209601
        10⤵
        
        PID:14056
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe /autoup 1697209601
        11⤵
        
        PID:640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe C:\windows\system32\taskmgr.exe
        10⤵
        
        PID:14116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+814775.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad828.exe
        8⤵
        
        PID:13492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad828.exe 1697209601
        8⤵
        
        PID:5096
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
        6⤵
        
        PID:6784
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
        7⤵
        Executes dropped EXE
        
        PID:6824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+123132.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad821.exe
        8⤵
        
        PID:9940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad821.exe 1697209601
        8⤵
        
        PID:8668
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad821.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad821.exe 1697209601
        9⤵
        Executes dropped EXE
        
        PID:8576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:13892
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:13208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+922628.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad829.exe
        8⤵
        
        PID:10872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad829.exe 1697209601
        8⤵
        
        PID:15100
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
        6⤵
        
        PID:6876
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
        7⤵
        Executes dropped EXE
        
        PID:6904
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
        6⤵
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
        7⤵
        Executes dropped EXE
        
        PID:6980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+41113.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe
        8⤵
        
        PID:10460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe 1697209601
        8⤵
        
        PID:12340
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe 1697209601
        9⤵
        Executes dropped EXE
        
        PID:3812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cpoy C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe C:\windows\system32\taskmgr.exe
        10⤵
        
        PID:14072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+326555.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad823.exe
        8⤵
        
        PID:13468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad823.exe 1697209601
        8⤵
        
        PID:15084
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
        6⤵
        
        PID:7036
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
        7⤵
        Executes dropped EXE
        
        PID:7140
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
        6⤵
        
        PID:6048
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
        6⤵
        
        PID:6228
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
        7⤵
        Executes dropped EXE
        
        PID:6376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+711861.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
        8⤵
        
        PID:10940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe 1697209601
        8⤵
        
        PID:12364
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe 1697209601
        9⤵
        Executes dropped EXE
        
        PID:10944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:11728
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        11⤵
        Kills process with taskkill
        
        PID:13720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+030482.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe
        8⤵
        
        PID:12216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe 1697209601
        8⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe 1697209601
        9⤵
        
        PID:15500
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
        6⤵
        
        PID:5864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+711861.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe
        7⤵
        
        PID:10952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+030482.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe
        7⤵
        
        PID:13936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe 1697209601
        7⤵
        
        PID:12376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe 1697209601
        7⤵
        
        PID:13440
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
        6⤵
        
        PID:5608
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
        6⤵
        
        PID:6516
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
        7⤵
        Executes dropped EXE
        
        PID:6596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:6624
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
        6⤵
        
        PID:6044
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
        7⤵
        Executes dropped EXE
        
        PID:6132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe 1697209601
        8⤵
        
        PID:12404
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe 1697209601
        9⤵
        
        PID:3240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:13848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        10⤵
        
        PID:12416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+41640.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe
        8⤵
        
        PID:15036
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
        6⤵
        
        PID:6880
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
        7⤵
        Executes dropped EXE
        
        PID:6964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:6968
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
        6⤵
        
        PID:7132
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
        7⤵
        
        PID:6556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe 1697209601
        8⤵
        
        PID:13712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+030482.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe
        8⤵
        
        PID:12616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe 1697209601
        8⤵
        
        PID:4588
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
        6⤵
        
        PID:7804
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
        7⤵
        Executes dropped EXE
        
        PID:7828
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
        6⤵
        
        PID:7596
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
        6⤵
        
        PID:7296
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
        7⤵
        
        PID:7324
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
        6⤵
        
        PID:8188
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
        6⤵
        
        PID:8108
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
        6⤵
        
        PID:8032
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
        6⤵
        
        PID:7956
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
        6⤵
        
        PID:7880
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
        6⤵
        
        PID:7804
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
        7⤵
        Executes dropped EXE
        
        PID:5384
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
        6⤵
        
        PID:7728
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
        6⤵
        
        PID:7652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+022609.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe
        7⤵
        
        PID:11612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe 1697209601
        7⤵
        
        PID:13824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+41640.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe
        7⤵
        
        PID:3612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe 1697209601
        7⤵
        
        PID:11780
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
        6⤵
        
        PID:7576
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
        6⤵
        
        PID:7496
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:9656
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:12884
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
        6⤵
        
        PID:7420
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
        6⤵
        
        PID:7344
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
        6⤵
        
        PID:7268
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
        6⤵
        
        PID:7192
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
        6⤵
        
        PID:6852
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
        7⤵
        
        PID:7044
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
        6⤵
        
        PID:6300
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
        7⤵
        
        PID:5516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe 1697209601
        8⤵
        
        PID:12436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+030482.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe
        8⤵
        
        PID:14244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe 1697209601
        8⤵
        
        PID:15144
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+95703.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad89.exe
      4⤵
      PID:5332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad89.exe 1697209601
      4⤵
      PID:5412
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad89.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad89.exe 1697209601
        5⤵
        Executes dropped EXE
        
        PID:8224
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:11564
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:12860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:5080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+54772.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe
      4⤵
      PID:4168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe 1697209601
      4⤵
      PID:2996
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe 1697209601
        5⤵
        Executes dropped EXE
        
        PID:8232
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:11120
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:12828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+59630.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe
      4⤵
      PID:6800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe 1697209601
      4⤵
      PID:11668
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe 1697209601
        5⤵
        Executes dropped EXE
        
        PID:9848
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:12744
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:13236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+54249.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe
      4⤵
      PID:3840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe 1697209601
      4⤵
      PID:2280
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe 1697209601
        5⤵
        Executes dropped EXE
        
        PID:10212
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:8548
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:12892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+121410.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad81.exe
      4⤵
      PID:11892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad81.exe 1697209601
      4⤵
      PID:13736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:3688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+54249.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe
      4⤵
      PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:3444
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:4008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+814998.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
      4⤵
      PID:1008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
      4⤵
      PID:3944
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
        5⤵
        Executes dropped EXE
        
        PID:8216
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:10880
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:12852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+525336.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe
      4⤵
      PID:7388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe 1697209601
      4⤵
      PID:7848
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe 1697209601
        5⤵
        Executes dropped EXE
        
        PID:12300
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:12792
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:13128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:2176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:3976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+53726.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe
      4⤵
      PID:3572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:3824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:1040
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+53726.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe
      4⤵
      PID:972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:4860
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:4140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:3328
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:3644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+814475.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
      4⤵
      PID:5164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
      4⤵
      PID:5276
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
        5⤵
        Executes dropped EXE
        
        PID:5564
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:12552
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:13244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+14349.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad81.exe
      4⤵
      PID:11924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad81.exe 1697209601
      4⤵
      PID:13776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:3508
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:5004
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:2376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+814475.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
      4⤵
      PID:4984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:1700
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:3480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:540
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:4136
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+814475.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
      4⤵
      PID:5272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
      4⤵
      PID:464
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
        5⤵
        Executes dropped EXE
        
        PID:10388
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:9664
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:12800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+14349.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad81.exe
      4⤵
      PID:12236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad81.exe 1697209601
      4⤵
      PID:13760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:2144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:3572
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:2156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+814475.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
      4⤵
      PID:5296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
      4⤵
      PID:4536
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
        5⤵
        Executes dropped EXE
        
        PID:8304
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:11884
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:12876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+14349.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad81.exe
      4⤵
      PID:11908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad81.exe 1697209601
      4⤵
      PID:15092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:4576
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:4384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:2832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+814475.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
      4⤵
      PID:1040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
      4⤵
      PID:5272
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
        5⤵
        Executes dropped EXE
        
        PID:5556
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:12648
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:13276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+14349.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad81.exe
      4⤵
      PID:12272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad81.exe 1697209601
      4⤵
      PID:13896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:2912
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:3740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+814475.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
      4⤵
      PID:5156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
      4⤵
      PID:5340
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
        5⤵
        Executes dropped EXE
        
        PID:10224
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:12684
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:13252
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+14349.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad81.exe
      4⤵
      PID:11856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad81.exe 1697209601
      4⤵
      PID:13644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:432
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:3792
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:4604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+814475.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
      4⤵
      PID:3888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
      4⤵
      PID:8612
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
        5⤵
        Executes dropped EXE
        
        PID:10284
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:4624
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:12836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+14349.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad81.exe
      4⤵
      PID:12252
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad81.exe 1697209601
      4⤵
      PID:13800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:3984
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:2792
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:4732
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+53726.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe
      4⤵
      PID:1064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe 1697209601
      4⤵
      PID:3944
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe 1697209601
        5⤵
        Executes dropped EXE
        
        PID:10380
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:12280
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:12936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+7422.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe
      4⤵
      PID:12152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe 1697209601
      4⤵
      PID:13668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:4040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:5432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+813429.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
      4⤵
      PID:8308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
      4⤵
      PID:4716
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
        5⤵
        Executes dropped EXE
        
        PID:10196
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:12520
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:10488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+327909.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad83.exe
      4⤵
      PID:11840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad83.exe 1697209601
      4⤵
      PID:13744
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad83.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad83.exe 1697209601
        5⤵
        
        PID:2508
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:14188
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:5288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:5460
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:5484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:5500
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:5528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+813429.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
      4⤵
      PID:8412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
      4⤵
      PID:8548
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
        5⤵
        Executes dropped EXE
        
        PID:8424
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:10912
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:12868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+327909.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad83.exe
      4⤵
      PID:7668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad83.exe 1697209601
      4⤵
      PID:8564
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad83.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad83.exe 1697209601
        5⤵
        Executes dropped EXE
        
        PID:4764
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:11936
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:12844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:5536
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:5592
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:5756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:5624
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:5636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+813429.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
      4⤵
      PID:8052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
      4⤵
      PID:6944
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
        5⤵
        Executes dropped EXE
        
        PID:8404
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:11640
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:12952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+327909.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad83.exe
      4⤵
      PID:11872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:5664
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:5716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:5748
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:5760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+813429.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
      4⤵
      PID:8120
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
        5⤵
        
        PID:8144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:5804
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:5832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:5848
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:5872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+813429.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
      4⤵
      PID:8640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:5896
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:5948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:5976
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:6004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+813429.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
      4⤵
      PID:8620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
      4⤵
      PID:5528
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
        5⤵
        Executes dropped EXE
        
        PID:9304
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:12752
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:13300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+327909.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad83.exe
      4⤵
      PID:9356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad83.exe 1697209601
      4⤵
      PID:13840
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad83.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad83.exe 1697209601
        5⤵
        
        PID:14288
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:14172
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:13712
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:6028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:6028
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:6052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:6088
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:6104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+813429.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
      4⤵
      PID:8600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:6128
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:5152
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:5292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+813429.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
      4⤵
      PID:8572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
      4⤵
      PID:11780
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe 1697209601
        5⤵
        Executes dropped EXE
        
        PID:9460
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:12912
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:5404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+327909.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad83.exe
      4⤵
      PID:12476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad83.exe 1697209601
      4⤵
      PID:13808
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad83.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad83.exe 1697209601
        5⤵
        
        PID:14320
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:13644
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:12236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:5372
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:2496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:5464
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:5864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:6156
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:6168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+022609.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe
      4⤵
      PID:11552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe 1697209601
      4⤵
      PID:15076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:6192
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:6204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:6372
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:6384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+711861.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe
      4⤵
      PID:11396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe 1697209601
      4⤵
      PID:13816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+030482.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe
      4⤵
      PID:11072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe 1697209601
      4⤵
      PID:11228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:6660
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:6672
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+711861.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe
      4⤵
      PID:10892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe 1697209601
      4⤵
      PID:12356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+030482.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe
      4⤵
      PID:14100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe 1697209601
      4⤵
      PID:15060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:6732
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:6764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+41635.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe
      4⤵
      PID:9352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe 1697209601
      4⤵
      PID:2648
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe 1697209601
        5⤵
        
        PID:13136
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:11980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+814775.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad88.exe
      4⤵
      PID:15160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:6696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:6624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:6800
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:6836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:6588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:6552
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:6516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:6852
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:6920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+022609.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe
      4⤵
      PID:11712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe 1697209601
      4⤵
      PID:13888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+41640.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe
      4⤵
      PID:12352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe 1697209601
      4⤵
      PID:13204
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
    3⤵
    PID:7124
  - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
      C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
      4⤵
      PID:6444
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe 1697209601
        5⤵
        
        PID:12712
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+030482.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe
        5⤵
        
        PID:14228
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe 1697209601
        5⤵
        
        PID:5128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:6480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:7044
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:7056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+712384.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe
      4⤵
      PID:9624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe 1697209601
      4⤵
      PID:12268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+418701.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe
      4⤵
      PID:13200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe 1697209601
      4⤵
      PID:12632
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe 1697209601
        5⤵
        
        PID:15684
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:7068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:6968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:6444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+711861.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe
    3⤵
    PID:10872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:6408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:6336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:6300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:6264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:6228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:7124
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:7160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+711861.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe
      4⤵
      PID:11372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe 1697209601
      4⤵
      PID:12592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+030482.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe
      4⤵
      PID:14164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe 1697209601
      4⤵
      PID:9956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+711861.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
    3⤵
    PID:10924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:4752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:5464
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:5848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+711861.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe
      4⤵
      PID:11228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+030482.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe
      4⤵
      PID:13920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe 1697209601
      4⤵
      PID:4976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe 1697209601
      4⤵
      PID:14644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:5536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:4752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:5976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:6196
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:6232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:6300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:6556
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:6736
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+711861.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe
    3⤵
    PID:10904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:7296
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
    3⤵
    - Executes dropped EXE
    PID:7376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:7448
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
    3⤵
    PID:7476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+022609.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe
      4⤵
      PID:11644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe 1697209601
      4⤵
      PID:12664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+41640.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe
      4⤵
      PID:14196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe 1697209601
      4⤵
      PID:5104
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe 1697209601
        5⤵
        
        PID:15664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:7820
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
    3⤵
    PID:5160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:7576
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
    3⤵
    - Executes dropped EXE
    PID:7600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+711861.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
      4⤵
      PID:10964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe 1697209601
      4⤵
      PID:12388
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe 1697209601
        5⤵
        Executes dropped EXE
        
        PID:10480
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:13552
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        7⤵
        Kills process with taskkill
        
        PID:12752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+030482.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe
      4⤵
      PID:11232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe 1697209601
      4⤵
      PID:12720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:7348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:7076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:8120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:8044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:7968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:7892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:7816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:7740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:7664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  - Executes dropped EXE
  PID:7588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+711861.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
    3⤵
    PID:10860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe 1697209601
    3⤵
    PID:12412
  - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
      C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe 1697209601
      4⤵
      Executes dropped EXE
      PID:10888
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        5⤵
        
        PID:9340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+030482.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe
    3⤵
    PID:12368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe 1697209601
    3⤵
    PID:14264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:7512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  PID:9804
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:12808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:7372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:7220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:7132
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
    3⤵
    - Executes dropped EXE
    PID:7040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe 1697209601
      4⤵
      PID:12380
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe 1697209601
        5⤵
        Executes dropped EXE
        
        PID:12144
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
        6⤵
        
        PID:12480
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe /autoup 1697209601
        6⤵
        
        PID:14560
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe /autoup 1697209601
        7⤵
        
        PID:12572
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe /killwindows 1697209601
        6⤵
        
        PID:11848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+030482.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe
      4⤵
      PID:10840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe 1697209601
      4⤵
      PID:6008
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe 1697209601
        5⤵
        
        PID:15700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  - Executes dropped EXE
  PID:7124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe 1697209601
    3⤵
    PID:12356
  - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
      C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe 1697209601
      4⤵
      Executes dropped EXE
      PID:10764
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe /killwindows 1697209601
        5⤵
        
        PID:14120
      - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe /killwindows 1697209601
        6⤵
        
        PID:14456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c takeown /f C:\windows\system32\taskmgr.exe
        7⤵
        
        PID:11912
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe /KillHardDisk 1697209601
        5⤵
        
        PID:14892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+030482.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe
    3⤵
    PID:12172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:6852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:6740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
  2⤵
  PID:6560

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Checks processor information in registry
PID:1916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd39019758,0x7ffd39019768,0x7ffd39019778
  2⤵
  PID:9432

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
1⤵
- Executes dropped EXE
PID:5752

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
1⤵
- Executes dropped EXE
PID:5944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+711861.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
  2⤵
  PID:11412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe 1697209601
  2⤵
  PID:12432
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe 1697209601
    3⤵
    - Executes dropped EXE
    PID:13164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:13956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+030482.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe
  2⤵
  PID:10860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe 1697209601
  2⤵
  PID:14304

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
1⤵
- Executes dropped EXE
PID:6124
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6128

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
1⤵
PID:5336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+712384.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe
  2⤵
  PID:9516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe 1697209601
  2⤵
  PID:9376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+418701.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe
  2⤵
  PID:13216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe 1697209601
  2⤵
  PID:12664
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe 1697209601
    3⤵
    PID:15488

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
1⤵
PID:6240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+711861.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe
  2⤵
  PID:11336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe 1697209601
  2⤵
  PID:10868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+030482.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe
  2⤵
  PID:13964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe 1697209601
  2⤵
  PID:5364

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
1⤵
PID:6564

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
1⤵
PID:6600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+711861.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe
  2⤵
  PID:11348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe 1697209601
  2⤵
  PID:12400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+030482.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe
  2⤵
  PID:14176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe 1697209601
  2⤵
  PID:13304

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
1⤵
PID:6636

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
1⤵
PID:6708

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
1⤵
PID:6528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+022609.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe
  2⤵
  PID:11724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe 1697209601
  2⤵
  PID:13832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+41640.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe
  2⤵
  PID:12464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe 1697209601
  2⤵
  PID:13116

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
1⤵
PID:6492

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
1⤵
PID:6456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+41113.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe
  2⤵
  PID:10484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe 1697209601
  2⤵
  PID:12132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+326555.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad83.exe
  2⤵
  PID:14848

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
1⤵
PID:7092

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
1⤵
PID:6992

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
1⤵
PID:6420

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
1⤵
PID:6348

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
1⤵
PID:6312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+41113.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe
  2⤵
  PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe 1697209601
  2⤵
  PID:12160
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe 1697209601
    3⤵
    PID:13088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:15548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+326555.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad83.exe
  2⤵
  PID:14968

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
1⤵
PID:6276

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
1⤵
PID:5536

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
1⤵
PID:6660
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6696

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
1⤵
PID:7248

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
1⤵
PID:7776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+123132.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad81.exe
  2⤵
  PID:9844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad81.exe 1697209601
  2⤵
  PID:2268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+922628.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad89.exe
  2⤵
  PID:224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad89.exe 1697209601
  2⤵
  PID:13260

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
1⤵
- Executes dropped EXE
PID:8056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+41635.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe
  2⤵
  PID:9460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe 1697209601
  2⤵
  PID:11072
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe 1697209601
    3⤵
    PID:9308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:13800
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:14468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+814775.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad828.exe
  2⤵
  PID:13540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad828.exe 1697209601
  2⤵
  PID:15068

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
1⤵
PID:7424

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
1⤵
PID:7652
- C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
  C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
  2⤵
  - Executes dropped EXE
  PID:7676

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
1⤵
PID:7588
- C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
  C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
  2⤵
  PID:7624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+711861.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe
    3⤵
    PID:11360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe 1697209601
    3⤵
    PID:15136

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
1⤵
PID:7208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+022609.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe
  2⤵
  PID:11632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe 1697209601
  2⤵
  PID:13848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+41640.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe
  2⤵
  PID:5272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe 1697209601
  2⤵
  PID:5172

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
1⤵
- Executes dropped EXE
PID:6516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+41113.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe
  2⤵
  PID:10472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe 1697209601
  2⤵
  PID:12460
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe 1697209601
    3⤵
    - Executes dropped EXE
    PID:3440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:12632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe /autoup 1697209601
      4⤵
      PID:14476
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe /autoup 1697209601
        5⤵
        
        PID:5228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe /killwindows 1697209601
      4⤵
      PID:11708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+326555.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad823.exe
  2⤵
  PID:13408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad823.exe 1697209601
  2⤵
  PID:13448

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
1⤵
- Executes dropped EXE
PID:8132

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
1⤵
PID:8080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+711861.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe
  2⤵
  PID:11384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe 1697209601
  2⤵
  PID:13784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+030482.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe
  2⤵
  PID:13464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe 1697209601
  2⤵
  PID:14988

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
1⤵
PID:8004

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
1⤵
- Executes dropped EXE
PID:7980

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
1⤵
PID:7928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+022609.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe
  2⤵
  PID:11948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe 1697209601
  2⤵
  PID:13284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+41640.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe
  2⤵
  PID:13728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad84.exe 1697209601
  2⤵
  PID:5236

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
1⤵
- Executes dropped EXE
PID:7904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+022609.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe
  2⤵
  PID:11656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe 1697209601
  2⤵
  PID:12420

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
1⤵
PID:7852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:8568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd38ed46f8,0x7ffd38ed4708,0x7ffd38ed4718
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:9492

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:8308
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  PID:9380
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="9380.0.914144391\1028326814" -parentBuildID 20221007134813 -prefsHandle 1732 -prefMapHandle 1724 -prefsLen 20860 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4163447d-a4dd-4cad-b4a2-87525961a0f2} 9380 "\\.\pipe\gecko-crash-server-pipe.9380" 1828 1da124d5558 gpu
    3⤵
    PID:11820

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
1⤵
- Executes dropped EXE
PID:7752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+41113.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe
  2⤵
  PID:10180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe 1697209601
  2⤵
  PID:12348
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe 1697209601
    3⤵
    PID:12112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:13432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe /autoup 1697209601
      4⤵
      PID:14484
    - - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe
        
        C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe /autoup 1697209601
        5⤵
        
        PID:4068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad824.exe /killwindows 1697209601
      4⤵
      PID:13588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+326555.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad823.exe
  2⤵
  PID:13448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad823.exe 1697209601
  2⤵
  PID:11116

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
1⤵
PID:7700

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:8388
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  PID:9420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="9420.0.1578181336\1297215891" -parentBuildID 20221007134813 -prefsHandle 1744 -prefMapHandle 1736 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {02998c0e-13fe-411c-9cb4-e0baa3d11419} 9420 "\\.\pipe\gecko-crash-server-pipe.9420" 1848 19e47bfc258 gpu
    3⤵
    PID:12616

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Checks processor information in registry
PID:1040
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1040.0.1810914530\174717481" -parentBuildID 20221007134813 -prefsHandle 1732 -prefMapHandle 1532 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12e9b0f8-55f7-4136-9478-ac8c4bb7e477} 1040 "\\.\pipe\gecko-crash-server-pipe.1040" 1844 1ec559fb958 gpu
  2⤵
  PID:13492

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
1⤵
PID:7548

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
1⤵
- Executes dropped EXE
PID:7524

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
1⤵
- Executes dropped EXE
PID:7440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+711861.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
  2⤵
  PID:10824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe 1697209601
  2⤵
  PID:12372
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe 1697209601
    3⤵
    - Executes dropped EXE
    PID:10180
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:11656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:12628
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+030482.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe
  2⤵
  PID:11376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe 1697209601
  2⤵
  PID:14108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:8620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+711861.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
1⤵
PID:11008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+022609.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe
1⤵
PID:11700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+022609.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe
1⤵
PID:11600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+711861.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe
1⤵
PID:10976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+711861.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
1⤵
PID:10848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+711861.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe
1⤵
PID:10836

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /save 1697209601
1⤵
PID:7400

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
1⤵
- Executes dropped EXE
PID:7364

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /protect 1697209601
1⤵
- Executes dropped EXE
PID:7288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe 1697209601
  2⤵
  PID:12396
- - C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe
    C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad827.exe 1697209601
    3⤵
    - Executes dropped EXE
    PID:5124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
      4⤵
      PID:11388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe+030482.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe
  2⤵
  PID:11648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad820.exe 1697209601
  2⤵
  PID:11668

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
1⤵
- Executes dropped EXE
PID:7212

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe /save 1697209601
1⤵
- Executes dropped EXE
PID:6552

C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe /protect 1697209601
1⤵
PID:6788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad87.exe 1697209601
  2⤵
  PID:9612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /b C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad8.exe+030482.txt C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe
  2⤵
  PID:14212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad80.exe 1697209601
  2⤵
  PID:13636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:11008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:12388

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
1⤵
- Kills process with taskkill
PID:14504

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
1⤵
- Kills process with taskkill
PID:8636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\022609.txt

Filesize
5B

MD5
19317b848dbb3dcbfb5684c662fd25ff

SHA1
c64b20c679d3ae36fab15d5e2f2bb3cd65c3c96f

SHA256
25caf706e110d5c555d253fd69df50e2b14e1ba85a8bd99d79baa424d71d2805

SHA512
53fa2014433625b31b4219d4a7f2f35f98f315dc04a3c5b8ae3c1e0941f55648c2e7b112764f275b65baf3a035a0d8bf98311cf711c9b43884c5719aa391d734

Download Submit
C:\Users\Admin\AppData\Local\Temp\030482.txt

Filesize
4B

MD5
098930a1f6c40597f933a2d617f798ba

SHA1
1079707f84e8d34463f24b94d2be31d5dee9e8c1

SHA256
f14c5bb83d357b034a6c665b574df137ffddcc24c8f3cb09aef1f73831731781

SHA512
da696b8e60de2cd98a0f0c1d85667cbb211467b264eb7b52a73ba2fbcf24f824ba54b4f24ab12cb1232280475ff00fc99a4d866a641edc02cef7ec916d72ecc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\108610.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\108610.bat

Filesize
138B

MD5
4f838363fc6b696b4533450fb7d1351c

SHA1
9e526b40cc4c53db5882853a60ae70cc98c29cc3

SHA256
210a84b9302a4acb971d321c63fa91f28e899f16cccceefb51df998218666a2b

SHA512
7ecdf4ea03d9b4bcf0037f836dd4618481b086e43193fccb7776536a231f5f9aaa27a2d77401cfd860c5fbc0b7cebb496247e600b371e5120fb6f69228cd580f

Download Submit
C:\Users\Admin\AppData\Local\Temp\14349.txt

Filesize
5B

MD5
fb306d161c5d5ff68fb2512de815a8f9

SHA1
38891c7cda2d15e4d464ef32ef3ee7ea2911fd1a

SHA256
8841dbe91ae0c5b7138cc28d691e07bbaa568d6a141f8d4f93aad71b3ae74382

SHA512
e707ca9a1e4d5c82e55f161d4c9ad087e62730b2515e116c4eed3623e67ca9f8b8cebbea69fc090ccbe774241b25a7827a602541eb0a26ffb6fa35fb359d0bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\221144.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\221144.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\221144.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\221144.bat

Filesize
111B

MD5
559188798a841518e631816a178ac6fd

SHA1
7a5a09504c7e7842ba8c40bb26321acb50c08b31

SHA256
fa396119f151ffe053c44daae64ae517cbc1383eef0a2b7028362210312a9c85

SHA512
b7bf912063312bcdeba4512661f93b7ae066582a72bdc9419a8d0899daf5cf93d14af97f648e626f198c2e42f36a83ed415cae9941c7b090eba6b26321f5282e

Download Submit
C:\Users\Admin\AppData\Local\Temp\221144.bat

Filesize
111B

MD5
559188798a841518e631816a178ac6fd

SHA1
7a5a09504c7e7842ba8c40bb26321acb50c08b31

SHA256
fa396119f151ffe053c44daae64ae517cbc1383eef0a2b7028362210312a9c85

SHA512
b7bf912063312bcdeba4512661f93b7ae066582a72bdc9419a8d0899daf5cf93d14af97f648e626f198c2e42f36a83ed415cae9941c7b090eba6b26321f5282e

Download Submit
C:\Users\Admin\AppData\Local\Temp\226792.txt

Filesize
4B

MD5
5c8cb735a1ce65dac514233cbd5576d6

SHA1
b68ddcd75a4fbbc8d3185db531701b93d0106e01

SHA256
7423fd48de59154f5fb4cbd03067d2e539c1fe9fdd4b43e7016c31f8bc00c24f

SHA512
dcd1f21826f84482a7eade90cd05304fafd468de26ff3e4cf4e725216896d67e279482ca15fafd85f232c0564cc4f55ed63f2a2c3ed443a400a72ea10754f056

Download Submit
C:\Users\Admin\AppData\Local\Temp\30048.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\30048.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\30048.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\30048.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\30048.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\326555.txt

Filesize
5B

MD5
6db812399de3afc15a13018a77f70aed

SHA1
831c2c5bde0f5dcc256bef6f6095e4fe5df1e28f

SHA256
a5ceb237353761471279bd1eadc64a35e4f6f8bcd294e4581a43a84f49b6f514

SHA512
e10914b8aa40bbc1dd2cf604d9bc86bde1c50bdde2942c174e48652520aadfe2c881b5740d08e48fa5c5bdfa8dd78278766da8bb76dbc42d501388ff396bccc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\327909.txt

Filesize
4B

MD5
f6185f0ef02dcaec414a3171cd01c697

SHA1
e72a32b81af08da32dc6250f14ff025ff99ee615

SHA256
8ba89f83a19745038de329531b2e1c2b1d58b6d7f7e2a22e993024a1b78adeba

SHA512
fa0daa1e72a1b0db120843a4c29e073a792e3d9b91437a525ec6fa8c96d1e690dddf5b6ac490549b7be1183a74816241f9e0588fdc7a553bccf725043504636c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41113.txt

Filesize
5B

MD5
5be5d2b913dcf4dd9ad2759c2e150d92

SHA1
882911ecc5e66848044fca8a75f41fddba4bc2bb

SHA256
e67609a8a2b27a20c342f1801d9cb4ba0855fd7a886d75b1742e4fd6deb419de

SHA512
96559bb146b71144cbbda918c967500160ceb462cab5be3f4f4da0dfd21676393cd61af691b282ed97e9d372e32df228afc6d068318ad4f7c45dbbde745ed1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\41640.txt

Filesize
4B

MD5
22eda830d1051274a2581d6466c06e6c

SHA1
9d9fdddd258f37b0632551ee91121ce9648afd6c

SHA256
808ba8c29edb1f89bc1a44969fddfb1fef9a8e4996a84bbc8c3502e2435652de

SHA512
1d0195c774b611c854e4a64116002bc63a32e3b1545c5fb16dfac8a3679a563b2030ee3bed5f2a7859de0ebd23d7afd7b2ba5919503f9cc15a00e59721e295e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4858.bat

Filesize
151B

MD5
87c10036f19ce80df8dae6f44ceb6bb6

SHA1
fb703786435d97361fb376be9269412f543a2613

SHA256
81c0e8dd6af91024e8564a6edb6533e817c20db8d6c4375e710a5172e16637d4

SHA512
3ad9fc5642fba4add2bdbd3de14f15cb3146eacfab9e90d6402ed8796d43c3bdd82141baeefc1a6399a8d80d15026cb974e754c4afbda0e9f92b80128c3b41e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\48895.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\48895.bat

Filesize
7B

MD5
3df116ef9ce709e3a5f25249db341c98

SHA1
7af50effe03c71bd5e03d46dc9b979c6faf92c8d

SHA256
4305b80fe6c8b71e12cfe14b19e94127e4825d6b8ade1cb544eee4836cbf7af0

SHA512
54242d6c407bcb82c482ab5b3bed3efe0fcffc5fa14a2b41247c0043a37d5695c4b9b1ba35c0c159f50720005780cd67e94b019e712a2e22aaaeb550e845c778

Download Submit
C:\Users\Admin\AppData\Local\Temp\53726.txt

Filesize
5B

MD5
c1adc7e5ae982a010af2eb442b583640

SHA1
2f80c3448f54db08d910c2d6dfe3dc2f202e0da4

SHA256
cdf0e49e1b570f1314da71c695f7c595dece0e228755ff5cebd5418bdcd6e17e

SHA512
fc8414f25d5730727be24b69d3c88cd28b97edf9dace378b8b6af6b0c34b6d47fd7bfdc1e81683f3007c4d8ce5f1ff9973a56f59bc9ac63c7e0fe314fb8c7eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\53726.txt

Filesize
5B

MD5
c1adc7e5ae982a010af2eb442b583640

SHA1
2f80c3448f54db08d910c2d6dfe3dc2f202e0da4

SHA256
cdf0e49e1b570f1314da71c695f7c595dece0e228755ff5cebd5418bdcd6e17e

SHA512
fc8414f25d5730727be24b69d3c88cd28b97edf9dace378b8b6af6b0c34b6d47fd7bfdc1e81683f3007c4d8ce5f1ff9973a56f59bc9ac63c7e0fe314fb8c7eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\54249.txt

Filesize
4B

MD5
7aee5d5dfa97b2516e5f639672c7e199

SHA1
10c4bc4a2f1966a8b855d2156010d2004301d907

SHA256
22ce386dda2c7de5ad2e03325a6c4d5f4864d5cd9f97653bd9f9e4d9f2555b16

SHA512
3e1b68d8186439b9ef947a677e2e2f9484be155c4f5b71c35db710c512505996a270bce2b7101fc5e1f6e413ae7d894fb9313f79c881b8256ddad7f65d3496eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\54772.txt

Filesize
5B

MD5
2c12328aab48072aee9c07cf4442b238

SHA1
3d6ee4b125249ad2076b16caa9d97a86d4d7f9ae

SHA256
005b337af354bd054402c3e4303a0551fafdcee75a1794c77ab5fd29e0418995

SHA512
6da73f6123c5320507f5eb6b6dbaa6fe67a17057ae7725a46f902e62abba384074bdcf911038a9b2afe73d385468e60ab6000af42db9fa6e484913f364c4d19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\62392.bat

Filesize
150B

MD5
ac49f0f28f2355f5e08d9de3d0248e3c

SHA1
6f35d2ec77d5bd810811dee8638fc88f7f9fdf7a

SHA256
444fd151f302d922a776ddcc92421923bc7a153490ced61ea27e41c51b3126a0

SHA512
5786aa79d215eaf38472ecd5f5db32634e2c9e88d15acb5cafe4eafd0da09b5206c160bad1818fb4b432a9cce48d1c3da74955c5da2e3aed8618c91049cfa328

Download Submit
C:\Users\Admin\AppData\Local\Temp\711861.txt

Filesize
4B

MD5
a7971abb4134fc0cfcec7d589e1ebcf6

SHA1
39c4be3cb630fb189e89b8d626e64036a4d59019

SHA256
ff9511e0254eff335c36f63ba9bc3ed3185a4203ff3d813ce850a6ddcb009348

SHA512
60cb1bae52c5d9058106448e89e2e04101f5c50e25f38aec9969515ad9a1a2c24a0336054c4d63b4e6007f436d1b22f7f4e86a34a7e469a7b2882a4b08fa71e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\813429.txt

Filesize
5B

MD5
a6cb32616a87184a192e1ce38940c5d5

SHA1
c30f64939d307ae90c8dd6309c1a1f80d6b0d1ec

SHA256
d885bb7273fb4e746e84afc627f57884681464d304c0d487efee6b49df9620a2

SHA512
78bbee895b1407a4ccd0c56145cc3e1bc0c3a6210837a2d8c7a85a70851e1cd11422236e19af71b61d05992f6d340c6e94861239f75e854c0247febde46d30cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\813429.txt

Filesize
5B

MD5
a6cb32616a87184a192e1ce38940c5d5

SHA1
c30f64939d307ae90c8dd6309c1a1f80d6b0d1ec

SHA256
d885bb7273fb4e746e84afc627f57884681464d304c0d487efee6b49df9620a2

SHA512
78bbee895b1407a4ccd0c56145cc3e1bc0c3a6210837a2d8c7a85a70851e1cd11422236e19af71b61d05992f6d340c6e94861239f75e854c0247febde46d30cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\813429.txt

Filesize
5B

MD5
a6cb32616a87184a192e1ce38940c5d5

SHA1
c30f64939d307ae90c8dd6309c1a1f80d6b0d1ec

SHA256
d885bb7273fb4e746e84afc627f57884681464d304c0d487efee6b49df9620a2

SHA512
78bbee895b1407a4ccd0c56145cc3e1bc0c3a6210837a2d8c7a85a70851e1cd11422236e19af71b61d05992f6d340c6e94861239f75e854c0247febde46d30cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\813429.txt

Filesize
5B

MD5
a6cb32616a87184a192e1ce38940c5d5

SHA1
c30f64939d307ae90c8dd6309c1a1f80d6b0d1ec

SHA256
d885bb7273fb4e746e84afc627f57884681464d304c0d487efee6b49df9620a2

SHA512
78bbee895b1407a4ccd0c56145cc3e1bc0c3a6210837a2d8c7a85a70851e1cd11422236e19af71b61d05992f6d340c6e94861239f75e854c0247febde46d30cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\813429.txt

Filesize
5B

MD5
a6cb32616a87184a192e1ce38940c5d5

SHA1
c30f64939d307ae90c8dd6309c1a1f80d6b0d1ec

SHA256
d885bb7273fb4e746e84afc627f57884681464d304c0d487efee6b49df9620a2

SHA512
78bbee895b1407a4ccd0c56145cc3e1bc0c3a6210837a2d8c7a85a70851e1cd11422236e19af71b61d05992f6d340c6e94861239f75e854c0247febde46d30cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\813429.txt

Filesize
5B

MD5
a6cb32616a87184a192e1ce38940c5d5

SHA1
c30f64939d307ae90c8dd6309c1a1f80d6b0d1ec

SHA256
d885bb7273fb4e746e84afc627f57884681464d304c0d487efee6b49df9620a2

SHA512
78bbee895b1407a4ccd0c56145cc3e1bc0c3a6210837a2d8c7a85a70851e1cd11422236e19af71b61d05992f6d340c6e94861239f75e854c0247febde46d30cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\814475.txt

Filesize
4B

MD5
543857f4a06c852113bcc02abf295eb5

SHA1
4d8832f6fbe0ae0eb25893e6bcfc1c3a9520255a

SHA256
4aff907ef4a6d2c2d2d4bfbaaec8c4c2d531e0cdb9b35395c51173d3ec88f965

SHA512
aad985ff8b97b577eecb153f24cd931d978e3fd98adb1d1d86a0f46f4fcc6a1cddf95a78e5f97996888f77cdb10a5149059d7704c16d50d59796a3794023ac07

Download Submit
C:\Users\Admin\AppData\Local\Temp\814475.txt

Filesize
4B

MD5
543857f4a06c852113bcc02abf295eb5

SHA1
4d8832f6fbe0ae0eb25893e6bcfc1c3a9520255a

SHA256
4aff907ef4a6d2c2d2d4bfbaaec8c4c2d531e0cdb9b35395c51173d3ec88f965

SHA512
aad985ff8b97b577eecb153f24cd931d978e3fd98adb1d1d86a0f46f4fcc6a1cddf95a78e5f97996888f77cdb10a5149059d7704c16d50d59796a3794023ac07

Download Submit
C:\Users\Admin\AppData\Local\Temp\814475.txt

Filesize
4B

MD5
543857f4a06c852113bcc02abf295eb5

SHA1
4d8832f6fbe0ae0eb25893e6bcfc1c3a9520255a

SHA256
4aff907ef4a6d2c2d2d4bfbaaec8c4c2d531e0cdb9b35395c51173d3ec88f965

SHA512
aad985ff8b97b577eecb153f24cd931d978e3fd98adb1d1d86a0f46f4fcc6a1cddf95a78e5f97996888f77cdb10a5149059d7704c16d50d59796a3794023ac07

Download Submit
C:\Users\Admin\AppData\Local\Temp\814475.txt

Filesize
4B

MD5
543857f4a06c852113bcc02abf295eb5

SHA1
4d8832f6fbe0ae0eb25893e6bcfc1c3a9520255a

SHA256
4aff907ef4a6d2c2d2d4bfbaaec8c4c2d531e0cdb9b35395c51173d3ec88f965

SHA512
aad985ff8b97b577eecb153f24cd931d978e3fd98adb1d1d86a0f46f4fcc6a1cddf95a78e5f97996888f77cdb10a5149059d7704c16d50d59796a3794023ac07

Download Submit
C:\Users\Admin\AppData\Local\Temp\814475.txt

Filesize
4B

MD5
543857f4a06c852113bcc02abf295eb5

SHA1
4d8832f6fbe0ae0eb25893e6bcfc1c3a9520255a

SHA256
4aff907ef4a6d2c2d2d4bfbaaec8c4c2d531e0cdb9b35395c51173d3ec88f965

SHA512
aad985ff8b97b577eecb153f24cd931d978e3fd98adb1d1d86a0f46f4fcc6a1cddf95a78e5f97996888f77cdb10a5149059d7704c16d50d59796a3794023ac07

Download Submit
C:\Users\Admin\AppData\Local\Temp\814475.txt

Filesize
4B

MD5
543857f4a06c852113bcc02abf295eb5

SHA1
4d8832f6fbe0ae0eb25893e6bcfc1c3a9520255a

SHA256
4aff907ef4a6d2c2d2d4bfbaaec8c4c2d531e0cdb9b35395c51173d3ec88f965

SHA512
aad985ff8b97b577eecb153f24cd931d978e3fd98adb1d1d86a0f46f4fcc6a1cddf95a78e5f97996888f77cdb10a5149059d7704c16d50d59796a3794023ac07

Download Submit
C:\Users\Admin\AppData\Local\Temp\814998.txt

Filesize
5B

MD5
5be5a7506bfc5ce83afa8354f9ac5fff

SHA1
a647ca6aa64a2880e22e24cf6359fa23e8891420

SHA256
715929f93019d95c25c7dbf35420928e77ff3eb218e3234bc8f664b87f8f8b6c

SHA512
6970190f1494f2f1cf9cc072ee7f58ed55276963acbdc736e24519ab48bc9d666ea7db9c6776050a04bffc7e8a4ca7e9f2e018e3fb3de3c92350247f74993772

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad82.exe

Filesize
1.5MB

MD5
5c20f9c9fee772409fb31a69e904f50c

SHA1
03c42faabf027cc9318e76af2bfd10e8274fa795

SHA256
1b67829f85c5241bd5dad43e7c71e5002886896bd6d7ef87d05b6f8c5743ba38

SHA512
69a7b4d683e4de9feb65d438ffb33b7cc0003cff0d5a541e90c05858edd9d3ed869f43cbe0de266374b774ee0b294b596e0e77ad7d4201816e7055759eebc95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad85.exe

Filesize
1.5MB

MD5
79f1ad87fc34a46b6ec371a8d8d903c7

SHA1
b86c3acc13b5c05aad4b37ab9f27e8c8cb056cb5

SHA256
0a63b82c23d5299cc9fa4227ee852fcfab054fb43d2634c9788b3ca0af9b8284

SHA512
266ab8df297fde8cee8190cb3ed20721362508274bbb0e85cd38b7d1dc9e4ede31f80cfe8043414299df8ca3d8d73fc1817e1098513055a263dbef430474875f

Download Submit
C:\Users\Admin\AppData\Local\Temp\92475cef84d24365c986bd6dafce0f4834f80fc0ecb2a81a1818fd7a232d6ad89.exe

Filesize
1.5MB

MD5
5db6880d94a7267f196a7558c4dd99f0

SHA1
7e467c78156e465006b938cf13705df1d01151f8

SHA256
84273709f465cda82c07ef14c24d891b7ac3f1602c9ab3956e633824ae60bb7f

SHA512
ddfbe7be0a34c0b9f4665b30de95929970b72df0c52921bf69219ce807c6c9ed7a5d23375a498bacd1881df4125717df040181a331a510471647b076929c31ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\95703.txt

Filesize
5B

MD5
bfc5f29ce3bf163d0c27ca8d9d17ec49

SHA1
a1c74ffd3045d4b5468cece1e7ab101dc0338389

SHA256
7ca6e553d93c6607eedcd3c2b92dffd5f5d10cd304801470c81333c65de1605f

SHA512
245684bb2c5f38a678279fe363f5fd021f6b85b362c55a6ce6389b6323665cce1f4e793857b3b3092b7c4be93e0d4707559c585adc2879c855430c814d2a3a55

Download Submit
memory/392-16-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/552-135-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/1372-130-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/1372-9-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/1772-19-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/1772-434-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/1808-0-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/1808-8-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2088-14-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2088-285-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2144-147-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2156-148-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2176-24-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2376-140-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2708-56-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2792-60-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2832-436-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2832-55-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/3480-141-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/3644-137-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/3688-20-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/3736-369-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/3736-23-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/3740-57-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/3824-134-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/3976-133-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/3992-21-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/4008-22-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/4040-62-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/4136-433-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/4136-145-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/4140-136-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/4384-149-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/4564-58-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/4572-138-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/4604-435-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/4604-59-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/5028-61-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/5080-13-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/5292-437-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/5516-315-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/5528-156-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/5752-159-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6124-162-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6132-318-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6232-313-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6376-314-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6444-335-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6492-183-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6552-336-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6556-339-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6564-202-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6596-316-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6636-211-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6660-317-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6672-251-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6708-296-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6736-337-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6764-298-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6788-324-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6824-300-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6836-301-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6904-303-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6920-304-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6964-325-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6980-307-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/6992-308-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/7040-334-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/7044-327-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/7056-309-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/7092-310-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/7124-338-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/7140-311-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/7160-312-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/7212-340-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/7248-341-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/7288-342-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/7324-343-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/9304-419-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download