modiloader | e82b397c6cb9555caeb62448771c6c2d1c1faee6969041bdca06e9b2eb1c087c

Analysis

max time kernel
36s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe
Size

292KB
MD5

e8eca1a24d0eb575beb2dc01b6d01b64
SHA1

a1f389cd0b9488685316462ccef24b6e972dda05
SHA256

e82b397c6cb9555caeb62448771c6c2d1c1faee6969041bdca06e9b2eb1c087c
SHA512

b65e589c4d60c69c08e29a65bc55f0b648bae209afbb422246554b8cb516699a2757a4abeea79111307c3657839b676a2384077980701935a14e8b474f7e02fa
SSDEEP

6144:2DdmAid3w4AsdOty/2gfazN1qNsGoMbMESRzDKgI88/nLd:CEAidw4AS3/7fkb4oM4EADv8/nLd

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 11 IoCs

resource	yara_rule
behavioral1/memory/2764-55-0x0000000000400000-0x000000000042B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-51-0x0000000000400000-0x000000000042B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-50-0x0000000000400000-0x000000000042B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-48-0x0000000000400000-0x000000000042B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-44-0x0000000000400000-0x000000000042B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-42-0x0000000000400000-0x000000000042B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-40-0x0000000000400000-0x000000000042B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-38-0x0000000000400000-0x000000000042B000-memory.dmp	modiloader_stage2
behavioral1/memory/2764-65-0x0000000000400000-0x000000000042B000-memory.dmp	modiloader_stage2
behavioral1/memory/1656-130-0x0000000000400000-0x000000000042B000-memory.dmp	modiloader_stage2
behavioral1/memory/2940-180-0x0000000000400000-0x000000000042B000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2692	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2816	cgi-bin.exe
2764	cgi-bin.exe
3008	server.exe
2664	cgi-bin.exe
1656	cgi-bin.exe
1976	server.exe
1084	cgi-bin.exe
2940	cgi-bin.exe
1304	server.exe
700	cgi-bin.exe
2344	cgi-bin.exe
2064	server.exe
1752	cgi-bin.exe
2136	cgi-bin.exe
2604	server.exe
2600	cgi-bin.exe
1428	cgi-bin.exe
2752	server.exe
3008	cgi-bin.exe
1968	cgi-bin.exe
596	server.exe
1928	cgi-bin.exe
1236	cgi-bin.exe
1648	server.exe
2108	cgi-bin.exe
1816	cgi-bin.exe
2356	server.exe
2028	cgi-bin.exe
2700	cgi-bin.exe
2572	server.exe
2348	cgi-bin.exe
2140	cgi-bin.exe
1120	server.exe
2832	cgi-bin.exe
1400	cgi-bin.exe
1740	server.exe
2116	cgi-bin.exe
1984	cgi-bin.exe
1928	server.exe
2144	cgi-bin.exe
1356	cgi-bin.exe
1796	server.exe
1328	cgi-bin.exe
1748	cgi-bin.exe
2728	server.exe
2616	cgi-bin.exe
2584	cgi-bin.exe
576	server.exe
292	cgi-bin.exe
2072	cgi-bin.exe
784	server.exe
1660	cgi-bin.exe
1604	cgi-bin.exe
1812	server.exe
2328	cgi-bin.exe
2392	cgi-bin.exe
2456	server.exe
2840	cgi-bin.exe
1440	cgi-bin.exe
1680	server.exe
1336	cgi-bin.exe
2736	cgi-bin.exe
2428	server.exe
1616	cgi-bin.exe

Loads dropped DLL 64 IoCs

pid	Process
2112	e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe
2112	e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe
2816	cgi-bin.exe
3008	server.exe
3008	server.exe
2664	cgi-bin.exe
1656	cgi-bin.exe
1656	cgi-bin.exe
1976	server.exe
1976	server.exe
1084	cgi-bin.exe
2940	cgi-bin.exe
1304	server.exe
1304	server.exe
700	cgi-bin.exe
2344	cgi-bin.exe
2064	server.exe
2064	server.exe
1752	cgi-bin.exe
2136	cgi-bin.exe
2604	server.exe
2604	server.exe
2600	cgi-bin.exe
1428	cgi-bin.exe
2752	server.exe
2752	server.exe
3008	cgi-bin.exe
1968	cgi-bin.exe
596	server.exe
596	server.exe
1928	cgi-bin.exe
1236	cgi-bin.exe
1648	server.exe
1648	server.exe
2108	cgi-bin.exe
1816	cgi-bin.exe
2356	server.exe
2356	server.exe
2028	cgi-bin.exe
2700	cgi-bin.exe
2572	server.exe
2572	server.exe
2348	cgi-bin.exe
2140	cgi-bin.exe
1120	server.exe
1120	server.exe
2832	cgi-bin.exe
1400	cgi-bin.exe
1740	server.exe
1740	server.exe
2116	cgi-bin.exe
1984	cgi-bin.exe
1928	server.exe
1928	server.exe
2144	cgi-bin.exe
1356	cgi-bin.exe
1796	server.exe
1796	server.exe
1328	cgi-bin.exe
1748	cgi-bin.exe
2728	server.exe
2728	server.exe
2616	cgi-bin.exe
2584	cgi-bin.exe

Suspicious use of SetThreadContext 27 IoCs

description	pid	Process	procid_target
PID 2816 set thread context of 2764	2816	cgi-bin.exe	33
PID 2664 set thread context of 1656	2664	cgi-bin.exe	38
PID 1084 set thread context of 2940	1084	cgi-bin.exe	43
PID 700 set thread context of 2344	700	cgi-bin.exe	48
PID 1752 set thread context of 2136	1752	cgi-bin.exe	53
PID 2600 set thread context of 1428	2600	cgi-bin.exe	58
PID 3008 set thread context of 1968	3008	cgi-bin.exe	63
PID 1928 set thread context of 1236	1928	cgi-bin.exe	68
PID 2108 set thread context of 1816	2108	cgi-bin.exe	73
PID 2028 set thread context of 2700	2028	cgi-bin.exe	78
PID 2348 set thread context of 2140	2348	cgi-bin.exe	83
PID 2832 set thread context of 1400	2832	cgi-bin.exe	88
PID 2116 set thread context of 1984	2116	cgi-bin.exe	93
PID 2144 set thread context of 1356	2144	cgi-bin.exe	98
PID 1328 set thread context of 1748	1328	cgi-bin.exe	103
PID 2616 set thread context of 2584	2616	cgi-bin.exe	108
PID 292 set thread context of 2072	292	cgi-bin.exe	113
PID 1660 set thread context of 1604	1660	cgi-bin.exe	193
PID 2328 set thread context of 2392	2328	cgi-bin.exe	123
PID 2840 set thread context of 1440	2840	cgi-bin.exe	128
PID 1336 set thread context of 2736	1336	cgi-bin.exe	133
PID 1616 set thread context of 3012	1616	cgi-bin.exe	138
PID 1264 set thread context of 2876	1264	cgi-bin.exe	143
PID 1416 set thread context of 1956	1416	cgi-bin.exe	148
PID 1948 set thread context of 2464	1948	cgi-bin.exe	153
PID 3004 set thread context of 2616	3004	cgi-bin.exe	158
PID 812 set thread context of 1952	812	cgi-bin.exe	163

Drops file in Windows directory 28 IoCs

description	ioc	Process
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File opened for modification	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe
File created	C:\Windows\server.exe	cgi-bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgi-bin.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1656	cgi-bin.exe
2940	cgi-bin.exe
2344	cgi-bin.exe
2136	cgi-bin.exe
1428	cgi-bin.exe
1968	cgi-bin.exe
1236	cgi-bin.exe
1816	cgi-bin.exe
2700	cgi-bin.exe
2140	cgi-bin.exe
1400	cgi-bin.exe
1984	cgi-bin.exe
1356	cgi-bin.exe
1748	cgi-bin.exe
2584	cgi-bin.exe
2072	cgi-bin.exe
1604	cgi-bin.exe
2392	cgi-bin.exe
1440	cgi-bin.exe
2736	cgi-bin.exe
3012	cgi-bin.exe
2876	cgi-bin.exe
1956	cgi-bin.exe
2464	cgi-bin.exe
2616	cgi-bin.exe
1952	cgi-bin.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe
Token: SeDebugPrivilege	2816	cgi-bin.exe
Token: SeDebugPrivilege	3008	server.exe
Token: SeDebugPrivilege	2664	cgi-bin.exe
Token: SeDebugPrivilege	1976	server.exe
Token: SeDebugPrivilege	1084	cgi-bin.exe
Token: SeDebugPrivilege	1304	server.exe
Token: SeDebugPrivilege	700	cgi-bin.exe
Token: SeDebugPrivilege	2064	server.exe
Token: SeDebugPrivilege	1752	cgi-bin.exe
Token: SeDebugPrivilege	2604	server.exe
Token: SeDebugPrivilege	2600	cgi-bin.exe
Token: SeDebugPrivilege	2752	server.exe
Token: SeDebugPrivilege	3008	cgi-bin.exe
Token: SeDebugPrivilege	596	server.exe
Token: SeDebugPrivilege	1928	cgi-bin.exe
Token: SeDebugPrivilege	1648	server.exe
Token: SeDebugPrivilege	2108	cgi-bin.exe
Token: SeDebugPrivilege	2356	server.exe
Token: SeDebugPrivilege	2028	cgi-bin.exe
Token: SeDebugPrivilege	2572	server.exe
Token: SeDebugPrivilege	2348	cgi-bin.exe
Token: SeDebugPrivilege	1120	server.exe
Token: SeDebugPrivilege	2832	cgi-bin.exe
Token: SeDebugPrivilege	1740	server.exe
Token: SeDebugPrivilege	2116	cgi-bin.exe
Token: SeDebugPrivilege	1928	server.exe
Token: SeDebugPrivilege	2144	cgi-bin.exe
Token: SeDebugPrivilege	1796	server.exe
Token: SeDebugPrivilege	1328	cgi-bin.exe
Token: SeDebugPrivilege	2728	server.exe
Token: SeDebugPrivilege	2616	cgi-bin.exe
Token: SeDebugPrivilege	576	server.exe
Token: SeDebugPrivilege	292	cgi-bin.exe
Token: SeDebugPrivilege	784	server.exe
Token: SeDebugPrivilege	1660	cgi-bin.exe
Token: SeDebugPrivilege	1812	server.exe
Token: SeDebugPrivilege	2328	cgi-bin.exe
Token: SeDebugPrivilege	2456	server.exe
Token: SeDebugPrivilege	2840	cgi-bin.exe
Token: SeDebugPrivilege	1680	server.exe
Token: SeDebugPrivilege	1336	cgi-bin.exe
Token: SeDebugPrivilege	2428	server.exe
Token: SeDebugPrivilege	1616	cgi-bin.exe
Token: SeDebugPrivilege	572	server.exe
Token: SeDebugPrivilege	1264	cgi-bin.exe
Token: SeDebugPrivilege	2468	server.exe
Token: SeDebugPrivilege	1416	cgi-bin.exe
Token: SeDebugPrivilege	1720	server.exe
Token: SeDebugPrivilege	1948	cgi-bin.exe
Token: SeDebugPrivilege	2692	server.exe
Token: SeDebugPrivilege	3004	cgi-bin.exe
Token: SeDebugPrivilege	1048	server.exe
Token: SeDebugPrivilege	812	cgi-bin.exe

Suspicious use of SetWindowsHookEx 54 IoCs

pid	Process
2112	e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe
2816	cgi-bin.exe
3008	server.exe
2664	cgi-bin.exe
1976	server.exe
1084	cgi-bin.exe
1304	server.exe
700	cgi-bin.exe
2064	server.exe
1752	cgi-bin.exe
2604	server.exe
2600	cgi-bin.exe
2752	server.exe
3008	cgi-bin.exe
596	server.exe
1928	cgi-bin.exe
1648	server.exe
2108	cgi-bin.exe
2356	server.exe
2028	cgi-bin.exe
2572	server.exe
2348	cgi-bin.exe
1120	server.exe
2832	cgi-bin.exe
1740	server.exe
2116	cgi-bin.exe
1928	server.exe
2144	cgi-bin.exe
1796	server.exe
1328	cgi-bin.exe
2728	server.exe
2616	cgi-bin.exe
576	server.exe
292	cgi-bin.exe
784	server.exe
1660	cgi-bin.exe
1812	server.exe
2328	cgi-bin.exe
2456	server.exe
2840	cgi-bin.exe
1680	server.exe
1336	cgi-bin.exe
2428	server.exe
1616	cgi-bin.exe
572	server.exe
1264	cgi-bin.exe
2468	server.exe
1416	cgi-bin.exe
1720	server.exe
1948	cgi-bin.exe
2692	server.exe
3004	cgi-bin.exe
1048	server.exe
812	cgi-bin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2816	2112	e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2816	2112	e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2816	2112	e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2816	2112	e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2692	2112	e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe	31
PID 2112 wrote to memory of 2692	2112	e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe	31
PID 2112 wrote to memory of 2692	2112	e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe	31
PID 2112 wrote to memory of 2692	2112	e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe	31
PID 2816 wrote to memory of 2764	2816	cgi-bin.exe	33
PID 2816 wrote to memory of 2764	2816	cgi-bin.exe	33
PID 2816 wrote to memory of 2764	2816	cgi-bin.exe	33
PID 2816 wrote to memory of 2764	2816	cgi-bin.exe	33
PID 2816 wrote to memory of 2764	2816	cgi-bin.exe	33
PID 2816 wrote to memory of 2764	2816	cgi-bin.exe	33
PID 2816 wrote to memory of 2764	2816	cgi-bin.exe	33
PID 2816 wrote to memory of 2764	2816	cgi-bin.exe	33
PID 2816 wrote to memory of 2764	2816	cgi-bin.exe	33
PID 2816 wrote to memory of 2764	2816	cgi-bin.exe	33
PID 2816 wrote to memory of 2764	2816	cgi-bin.exe	33
PID 2764 wrote to memory of 3008	2764	cgi-bin.exe	34
PID 2764 wrote to memory of 3008	2764	cgi-bin.exe	34
PID 2764 wrote to memory of 3008	2764	cgi-bin.exe	34
PID 2764 wrote to memory of 3008	2764	cgi-bin.exe	34
PID 3008 wrote to memory of 2664	3008	server.exe	35
PID 3008 wrote to memory of 2664	3008	server.exe	35
PID 3008 wrote to memory of 2664	3008	server.exe	35
PID 3008 wrote to memory of 2664	3008	server.exe	35
PID 3008 wrote to memory of 2368	3008	server.exe	36
PID 3008 wrote to memory of 2368	3008	server.exe	36
PID 3008 wrote to memory of 2368	3008	server.exe	36
PID 3008 wrote to memory of 2368	3008	server.exe	36
PID 2664 wrote to memory of 1656	2664	cgi-bin.exe	38
PID 2664 wrote to memory of 1656	2664	cgi-bin.exe	38
PID 2664 wrote to memory of 1656	2664	cgi-bin.exe	38
PID 2664 wrote to memory of 1656	2664	cgi-bin.exe	38
PID 2664 wrote to memory of 1656	2664	cgi-bin.exe	38
PID 2664 wrote to memory of 1656	2664	cgi-bin.exe	38
PID 2664 wrote to memory of 1656	2664	cgi-bin.exe	38
PID 2664 wrote to memory of 1656	2664	cgi-bin.exe	38
PID 2664 wrote to memory of 1656	2664	cgi-bin.exe	38
PID 2664 wrote to memory of 1656	2664	cgi-bin.exe	38
PID 2664 wrote to memory of 1656	2664	cgi-bin.exe	38
PID 1656 wrote to memory of 1976	1656	cgi-bin.exe	39
PID 1656 wrote to memory of 1976	1656	cgi-bin.exe	39
PID 1656 wrote to memory of 1976	1656	cgi-bin.exe	39
PID 1656 wrote to memory of 1976	1656	cgi-bin.exe	39
PID 1976 wrote to memory of 1084	1976	server.exe	40
PID 1976 wrote to memory of 1084	1976	server.exe	40
PID 1976 wrote to memory of 1084	1976	server.exe	40
PID 1976 wrote to memory of 1084	1976	server.exe	40
PID 1976 wrote to memory of 2392	1976	server.exe	41
PID 1976 wrote to memory of 2392	1976	server.exe	41
PID 1976 wrote to memory of 2392	1976	server.exe	41
PID 1976 wrote to memory of 2392	1976	server.exe	41
PID 1084 wrote to memory of 2940	1084	cgi-bin.exe	43
PID 1084 wrote to memory of 2940	1084	cgi-bin.exe	43
PID 1084 wrote to memory of 2940	1084	cgi-bin.exe	43
PID 1084 wrote to memory of 2940	1084	cgi-bin.exe	43
PID 1084 wrote to memory of 2940	1084	cgi-bin.exe	43
PID 1084 wrote to memory of 2940	1084	cgi-bin.exe	43
PID 1084 wrote to memory of 2940	1084	cgi-bin.exe	43
PID 1084 wrote to memory of 2940	1084	cgi-bin.exe	43
PID 1084 wrote to memory of 2940	1084	cgi-bin.exe	43
PID 1084 wrote to memory of 2940	1084	cgi-bin.exe	43

C:\Users\Admin\AppData\Local\Temp\e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e8eca1a24d0eb575beb2dc01b6d01b64_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\appdata\local\temp\cgi-bin.exe
  "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Users\Admin\appdata\local\temp\cgi-bin.exe
    "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\server.exe
      "C:\Windows\server.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2940
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1304
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:700
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2344
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2136
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2604
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2600
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1428
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2752
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1968
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:596
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1928
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1236
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2108
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1816
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2356
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2700
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2572
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2140
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1120
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        35⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1400
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        37⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1740
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2116
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        39⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1928
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        41⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2144
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1356
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        43⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1328
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        45⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2728
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        47⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:576
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:292
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        51⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:784
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1660
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        54⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1604
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1812
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        57⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2392
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        58⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2456
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        60⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1440
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        62⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1336
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        63⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2736
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        64⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        66⤵
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3012
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        67⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:572
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        68⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1264
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        69⤵
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2876
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        70⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2468
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        71⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1416
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        72⤵
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1956
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        73⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        74⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1948
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        75⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2464
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        76⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2692
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        77⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3004
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        78⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2616
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        79⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1048
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        80⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:812
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        81⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1952
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        82⤵
        
        PID:2076
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        83⤵
        
        PID:2648
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        84⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        85⤵
        
        PID:2060
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        86⤵
        
        PID:2992
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        87⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        88⤵
        
        PID:872
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        89⤵
        
        PID:896
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        90⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        91⤵
        
        PID:1680
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        92⤵
        
        PID:800
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe1
        93⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        94⤵
        
        PID:1992
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        95⤵
        
        PID:1972
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        96⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        97⤵
        
        PID:660
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        98⤵
        
        PID:296
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        99⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        100⤵
        
        PID:1792
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        101⤵
        
        PID:2052
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        102⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        103⤵
        
        PID:2572
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        104⤵
        
        PID:2236
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        105⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        106⤵
        
        PID:1980
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        107⤵
        
        PID:2348
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        108⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        109⤵
        
        PID:2892
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        110⤵
        
        PID:1516
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        111⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        112⤵
        
        PID:2676
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        113⤵
        
        PID:1724
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        114⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        115⤵
        
        PID:2540
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        116⤵
        
        PID:2992
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        117⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        118⤵
        
        PID:2036
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        119⤵
        
        PID:1328
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        120⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        121⤵
        
        PID:1336
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        122⤵
        
        PID:616
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        123⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        124⤵
        
        PID:1468
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        125⤵
        
        PID:308
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        126⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        127⤵
        
        PID:3024
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        128⤵
        
        PID:2060
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        129⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        130⤵
        
        PID:1792
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        131⤵
        
        PID:2816
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        132⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        133⤵
        
        PID:1316
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        134⤵
        
        PID:1980
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        135⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        136⤵
        
        PID:2664
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        137⤵
        
        PID:2756
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        138⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        139⤵
        
        PID:2456
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        140⤵
        
        PID:1044
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        141⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        142⤵
        
        PID:2208
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        143⤵
        
        PID:1644
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        144⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        145⤵
        
        PID:340
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        146⤵
        
        PID:1648
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        147⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        148⤵
        
        PID:1948
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        149⤵
        
        PID:872
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        150⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        151⤵
        
        PID:2556
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        152⤵
        
        PID:2040
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        153⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        154⤵
        
        PID:1304
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        155⤵
        
        PID:1976
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        156⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        157⤵
        
        PID:768
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        158⤵
        
        PID:2772
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        159⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        160⤵
        
        PID:568
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        161⤵
        
        PID:2848
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe«
        162⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        163⤵
        
        PID:2824
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        164⤵
        
        PID:680
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        165⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        166⤵
        
        PID:1468
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        167⤵
        
        PID:1480
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        168⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        169⤵
        
        PID:2312
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        170⤵
        
        PID:1852
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        171⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        172⤵
        
        PID:1668
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        173⤵
        
        PID:1864
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        174⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        175⤵
        
        PID:1712
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        176⤵
        
        PID:1760
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        177⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        178⤵
        
        PID:1692
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        179⤵
        
        PID:928
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        180⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        181⤵
        
        PID:2688
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        182⤵
        
        PID:2204
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        183⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        184⤵
        
        PID:2696
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        185⤵
        
        PID:2676
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        186⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        187⤵
        
        PID:2304
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        188⤵
        
        PID:1696
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        189⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        190⤵
        
        PID:1864
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        191⤵
        
        PID:3032
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        192⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        193⤵
        
        PID:580
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        194⤵
        
        PID:2828
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        195⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        196⤵
        
        PID:2040
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        197⤵
        
        PID:2452
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        198⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        199⤵
        
        PID:1648
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        200⤵
        
        PID:1288
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        201⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        202⤵
        
        PID:1040
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        203⤵
        
        PID:2792
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        204⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        205⤵
        
        PID:892
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        206⤵
        
        PID:1380
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        207⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        208⤵
        
        PID:2784
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        209⤵
        
        PID:2288
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        210⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        211⤵
        
        PID:1928
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        212⤵
        
        PID:2672
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        213⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        214⤵
        
        PID:2420
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        215⤵
        
        PID:2208
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        216⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        217⤵
        
        PID:2064
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        218⤵
        
        PID:2820
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        219⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        220⤵
        
        PID:1508
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        221⤵
        
        PID:2932
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        222⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        223⤵
        
        PID:1776
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        224⤵
        
        PID:2068
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        225⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        226⤵
        
        PID:1248
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        227⤵
        
        PID:2956
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        228⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        229⤵
        
        PID:2968
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        230⤵
        
        PID:2676
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        231⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        232⤵
        
        PID:1764
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        233⤵
        
        PID:2064
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        234⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        235⤵
        
        PID:2976
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        236⤵
        
        PID:536
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        237⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        238⤵
        
        PID:812
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        239⤵
        
        PID:1480
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        240⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        241⤵
        
        PID:1568
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        242⤵
        
        PID:1304
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        243⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        244⤵
        
        PID:1328
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        245⤵
        
        PID:2912
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        246⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        247⤵
        
        PID:1316
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        248⤵
        
        PID:2508
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        249⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        250⤵
        
        PID:2092
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        251⤵
        
        PID:1908
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe1
        252⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        253⤵
        
        PID:2844
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        254⤵
        
        PID:2188
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        255⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        256⤵
        
        PID:2812
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        257⤵
        
        PID:2556
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        258⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        259⤵
        
        PID:1524
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        260⤵
        
        PID:1764
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        261⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        262⤵
        
        PID:924
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        263⤵
        
        PID:2852
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe1
        264⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        265⤵
        
        PID:2996
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        266⤵
        
        PID:1760
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        267⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        268⤵
        
        PID:1724
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        269⤵
        
        PID:1976
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        270⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        271⤵
        
        PID:2220
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        272⤵
        
        PID:1364
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        273⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        274⤵
        
        PID:2792
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        275⤵
        
        PID:1380
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        276⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        277⤵
        
        PID:2744
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        278⤵
        
        PID:996
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        279⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        280⤵
        
        PID:2336
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        281⤵
        
        PID:1704
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        282⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        283⤵
        
        PID:1756
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        284⤵
        
        PID:2592
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        285⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        286⤵
        
        PID:948
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        287⤵
        
        PID:3040
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        288⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        289⤵
        
        PID:2508
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        290⤵
        
        PID:1468
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        291⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        292⤵
        
        PID:2184
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        293⤵
        
        PID:996
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        294⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        295⤵
        
        PID:2956
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        296⤵
        
        PID:2808
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        297⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        298⤵
        
        PID:1668
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        299⤵
        
        PID:1696
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        300⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        301⤵
        
        PID:620
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        302⤵
        
        PID:2568
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        303⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        304⤵
        
        PID:2816
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        305⤵
        
        PID:2828
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        306⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        307⤵
        
        PID:184
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        308⤵
        
        PID:1704
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        309⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        310⤵
        
        PID:2320
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        311⤵
        
        PID:2444
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        312⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        313⤵
        
        PID:2480
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        314⤵
        
        PID:2860
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe¨
        315⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        316⤵
        
        PID:892
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        317⤵
        
        PID:2040
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        318⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        319⤵
        
        PID:2112
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        320⤵
        
        PID:2160
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        321⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        322⤵
        
        PID:800
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        323⤵
        
        PID:2708
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        324⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        325⤵
        
        PID:2884
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        326⤵
        
        PID:1304
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        327⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        328⤵
        
        PID:2628
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        329⤵
        
        PID:1360
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        330⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        331⤵
        
        PID:2364
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        332⤵
        
        PID:1328
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        333⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        334⤵
        
        PID:2592
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        335⤵
        
        PID:2444
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        336⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        337⤵
        
        PID:2792
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        338⤵
        
        PID:1776
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        339⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        340⤵
        
        PID:680
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        341⤵
        
        PID:1692
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        342⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        343⤵
        
        PID:2788
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        344⤵
        
        PID:2608
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        345⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        346⤵
        
        PID:1316
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        347⤵
        
        PID:2968
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        348⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        349⤵
        
        PID:2056
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        350⤵
        
        PID:2928
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        351⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        352⤵
        
        PID:1704
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        353⤵
        
        PID:1364
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        354⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        355⤵
        
        PID:1528
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        356⤵
        
        PID:576
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        357⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        358⤵
        
        PID:2400
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        359⤵
        
        PID:2208
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        360⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        361⤵
        
        PID:1264
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        362⤵
        
        PID:1328
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        363⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        364⤵
        
        PID:2412
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        365⤵
        
        PID:2704
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        366⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        367⤵
        
        PID:1700
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        368⤵
        
        PID:1692
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        369⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        370⤵
        
        PID:2732
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        371⤵
        
        PID:2864
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        372⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        373⤵
        
        PID:2968
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe"
        374⤵
        
        PID:1788
        
        C:\Users\Admin\appdata\local\temp\cgi-bin.exe
        
        "C:\Users\Admin\appdata\local\temp\cgi-bin.exe" c:\users\admin\appdata\local\temp\cgi-bin.exe
        375⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        374⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        371⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        368⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt8.bat
        365⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        362⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        359⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        356⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        353⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        350⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt7.bat
        347⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        344⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        341⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        338⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        335⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        332⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        329⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        326⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        323⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        320⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt6.bat
        317⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        314⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        311⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        308⤵
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        305⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        302⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        299⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        296⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        293⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        290⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        287⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        284⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        281⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        278⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        275⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        272⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        269⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        266⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        263⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        260⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        257⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        254⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        251⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        248⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        245⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        242⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        239⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        236⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        233⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        230⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        227⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        224⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        221⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        218⤵
        
        PID:300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        215⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        212⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        209⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        206⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        203⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        200⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        197⤵
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        194⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        191⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt5.bat
        188⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt4.bat
        185⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        182⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        179⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        176⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        173⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        170⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        167⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        164⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        161⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        158⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        155⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt3.bat
        152⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        149⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        146⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt2.bat
        143⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        140⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        137⤵
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        134⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        131⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        128⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        125⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        122⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        119⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        116⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        113⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        110⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        107⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        104⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        101⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        98⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        95⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        92⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        89⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        86⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        83⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt1.bat
        80⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        65⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        59⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        53⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        35⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        23⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        11⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\melt.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1712649232-1078862090-597334231-690667314-730962460-1656773351-13231322961410621247"
1⤵
PID:1120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-542916090-13514563502029089573-17492238511182954333-7020035101219980049683307377"
1⤵
PID:1616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13738764446037607071855421819-522877611409921212-1607628681-929404979-437165737"
1⤵
PID:2460

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16212934651581864787194693676776929702011627753681282824064-9850226521921647602"
1⤵
PID:1796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-147042493517227007698622439801323449497-13411615562078385790-60626790-559133066"
1⤵
PID:1680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "529869175519257156-78397255-1474700794-535209304730920992-676617800-970475001"
1⤵
PID:2348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1119179199664381601-858279502476123439-861752109-1703133472-39328427-1642177223"
1⤵
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cgi-bin.exe

Filesize
292KB

MD5
e8eca1a24d0eb575beb2dc01b6d01b64

SHA1
a1f389cd0b9488685316462ccef24b6e972dda05

SHA256
e82b397c6cb9555caeb62448771c6c2d1c1faee6969041bdca06e9b2eb1c087c

SHA512
b65e589c4d60c69c08e29a65bc55f0b648bae209afbb422246554b8cb516699a2757a4abeea79111307c3657839b676a2384077980701935a14e8b474f7e02fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.bat

Filesize
282B

MD5
391388513a09d8bf666832020f1dd198

SHA1
b67bc5aea5351e054a30be58ae4bf2349e7a668f

SHA256
bfcf1c3385315b57531defc415cef249be44801d49a48c63dcb2f32f49d61fee

SHA512
c4261d8c386700c72a04f7ecb7f4e1bd884d489e5da17337fa58ed2e4e1363ead6f0cefc915607bc21307e0baa83fcb7c7337e9000204b8e779b014e41831b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.bat

Filesize
156B

MD5
9e76956df07475a1b03129c54b7846d9

SHA1
1f984b4eab8bda73be69a1b5d6dce5d7ae7eeeaa

SHA256
c3cfdd85f8b0274efc51588f0c2abbf7e00461d04584e49b3ec9c482afeffc2f

SHA512
c5775b2968785f8712e428809960f2e0f3257de5e32ecf547fd4974de9612d7c7cfa56cc177abb96df028860df3ef691934d00fc54012e1141f154c707a6d1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.bat

Filesize
196B

MD5
a481f0f95c1224f8a17b7f082c6083a4

SHA1
55c45653636b4a178be7770f627edaac56da1362

SHA256
f0f75b823b90e98a239d26d41b45141fce84bc7995d9b2004dfdb4837910a3eb

SHA512
0d87e206c195237db2d1951c830391b62d0b623713283232a5b31f4f33a248461fd7ff9e19402abd20a58e60366f662449acf6805f33dd70894067e6f69768d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt1.bat

Filesize
197B

MD5
382e142f5979fc137a4d57e230018e9a

SHA1
a5042367ffc74831e0b8b9f6d0edb1e617e2018a

SHA256
1bc7fafc385902bd6a892756d7b469ff0c914ec726a588745b923d48ae933749

SHA512
4714b064c60735dcff3fb363a5e2c4ec1e0c897b7073e4c7efad90529cd6c66470af2a054f60a686c43b5da564912c2274981de8330f264b1860d1f931108f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt2.bat

Filesize
197B

MD5
4e1988539849bc11ce7cbd93cd8df562

SHA1
ce9da3e9bd1e93106e4ac3819f35c37ec7f202eb

SHA256
56d7f0441bde1af5d6a0fb06ce7df601a469a3b19dca043d75a22d9ac5e69429

SHA512
8a61cc26865d59ed42f1dd57f65a8b7915ada62b41d2f52af58c45af7596c1da2d88c562422d5a39d06e4069bde28aebb4b3432e42fb1bd01af13755e99d5571

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt3.bat

Filesize
197B

MD5
f4050c31940575556c14828409fb54f8

SHA1
0cdbe97ace13913ddddb4f9841135f39b91312b7

SHA256
cd6325fc21282280fa47c304ccf7e0f5186183732ad7239228c4292eacec4f34

SHA512
a1014dc07784250f05026f7ac5b074e02b31c2d6c802b35f2d0c0228a9424b4c4654abfdd22c711e4c86f40e3a99b477c83c968d591beacdf99abcd0efc83cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt4.bat

Filesize
197B

MD5
f91aa89e782d5a5d736e1bab06436d73

SHA1
8e99117130f064e00590b5dba11c6440bae2135e

SHA256
144a026558a0ff40454dfc7746f9dc508433d3f2d616f2b08fad654325147169

SHA512
78e94505789a064276cb1ab92bd8a983655292b55ea237d794dc180bc34b4c59c4c80de49794610822384c07561272a1d499dab88186a2875a96c726c8dc417b

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt6.bat

Filesize
197B

MD5
5bdea2bd0d90bb13325569215a1d907f

SHA1
05dd8130eff08fa9b5d5b4b8131aedb8e4c4d062

SHA256
b8be70bffb33ec57e74e2f934ef4b2be31556e0e920d39b11f0617e23e4b1c01

SHA512
5b42e41d1f5cb650607fc92ea8a056b4519d62d26f1f258ac5bf27a1c74102ffe74ff20c4536ce1842612a0706206304fc5a26b52a2721413c4be564b5896ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt7.bat

Filesize
197B

MD5
b44f85f65e28d8c18590f50725137db6

SHA1
54aa4916b22b868619b04b5db002f7438fb117a3

SHA256
2cc069a561cc6d7ceb1e79f893e52c183ee88aa8249fee2de8ccb70e617c1f61

SHA512
b426e255e64be516de2632691049f4b0793d64333691a218be8622e5421d09d9d20ad83b78a5776a49e5798c3865ad448f310927f31c3f1ce4e2680440570a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt8.bat

Filesize
197B

MD5
64c48eb4601a3105912521846b0a6982

SHA1
8abfb541a084221936bbdd042107117706c775b1

SHA256
277350bb3b2ec9c96904b6153d6f0fe6f3279b90898f1a2cd2c01c931ce16e5d

SHA512
9ab42cfdec08f8e320b44fdc44a840fe938e118b77ebd4c303e88ed9025ef5420e7d350ef7b5d5e1c578d7299010b8f3dd797dcd7cd479f84cfce2e8f48265b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\test1.htm

Filesize
3B

MD5
6057f13c496ecf7fd777ceb9e79ae285

SHA1
7f550a9f4c44173a37664d938f1355f0f92a47a7

SHA256
fa690b82061edfd2852629aeba8a8977b57e40fcb77d1a7a28b26cba62591204

SHA512
0601d109d0d2b0fa9c4484b4a5c94ee5ecc62ccec3bd7d99e972d18994d0e2e42f6d0fcfc41216a5ab72ee7af96d213e1c314abdde40f52731ff24c2bf8f7323

Download Submit
memory/1656-130-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2764-36-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2764-65-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2764-34-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2764-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2764-40-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2764-42-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2764-44-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2764-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2764-48-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2764-50-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2764-51-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2764-55-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2940-180-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download