njrat | 1b6f1fe005004eb302cc536bdb4841e2224ca706a9e6ed04ebc7cb86c4bb6ebf

Resubmissions

31/03/2025, 16:33

250331-t2pzlatvdy 10

11/11/2020, 11:16

201111-3sqec5lagn 10

Analysis

max time kernel
119s
max time network
122s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
31/03/2025, 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b6f1fe005004eb302cc536bdb4841e2224ca706a9e6ed04ebc7cb86c4bb6ebf.exe
Size

23KB
MD5

c68fa9e0a6c46464ffc55536e04cd0cb
SHA1

46a01b1c1ed07b403704595b54da788f87758fba
SHA256

1b6f1fe005004eb302cc536bdb4841e2224ca706a9e6ed04ebc7cb86c4bb6ebf
SHA512

89c31eeba8ae22d34496584ddc4671e4b21f83ed54e16cd3e7f66fedd36dffa1915e7d2fbfcdf7cce4bf03d68cb77d53e7f03a6b42aa796bd35f506ce2952387
SSDEEP

384:zY324bcgPiJLQrfARGSRUJsbY6ZgvSMBD3t8mRvR6JZlbw8hqIusZzZwzCFy:cL2s+tRyRpcnuHGU

Score

10^/10

njrat defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3740	netsh.exe

Executes dropped EXE 64 IoCs

pid	Process
1344	cheat.exe
4632	cheat.exe
1460	cheat.exe
3280	cheat.exe
1508	cheat.exe
2132	cheat.exe
4696	cheat.exe
3328	cheat.exe
2380	cheat.exe
2656	cheat.exe
3792	cheat.exe
1964	cheat.exe
3464	cheat.exe
1192	cheat.exe
1392	cheat.exe
2428	cheat.exe
1212	cheat.exe
4128	cheat.exe
5020	cheat.exe
5116	cheat.exe
1376	cheat.exe
2848	cheat.exe
3644	cheat.exe
4664	cheat.exe
3308	cheat.exe
424	cheat.exe
928	cheat.exe
1888	cheat.exe
2888	cheat.exe
1728	cheat.exe
4272	cheat.exe
3892	cheat.exe
2656	cheat.exe
4108	cheat.exe
1464	cheat.exe
2032	cheat.exe
2260	cheat.exe
1476	cheat.exe
3980	cheat.exe
4996	cheat.exe
4776	cheat.exe
1072	cheat.exe
1376	cheat.exe
4508	cheat.exe
1684	cheat.exe
2344	cheat.exe
4328	cheat.exe
2192	cheat.exe
1956	cheat.exe
1892	cheat.exe
3440	cheat.exe
2380	cheat.exe
4728	cheat.exe
2748	cheat.exe
4736	cheat.exe
2332	cheat.exe
4956	cheat.exe
2260	cheat.exe
5004	cheat.exe
4476	cheat.exe
3828	cheat.exe
1916	cheat.exe
4996	cheat.exe
1412	cheat.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\efea00bfd82100063e3ba5f5434189d9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cheat.exe\" .."	cheat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-994669834-3080981395-1291080877-1000\Software\Microsoft\Windows\CurrentVersion\Run\efea00bfd82100063e3ba5f5434189d9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cheat.exe\" .."	cheat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	4.tcp.ngrok.io
18	4.tcp.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	1344	cheat.exe
Token: 33	1344	cheat.exe
Token: SeIncBasePriorityPrivilege	1344	cheat.exe
Token: 33	1344	cheat.exe
Token: SeIncBasePriorityPrivilege	1344	cheat.exe
Token: 33	1344	cheat.exe
Token: SeIncBasePriorityPrivilege	1344	cheat.exe
Token: 33	1344	cheat.exe
Token: SeIncBasePriorityPrivilege	1344	cheat.exe
Token: 33	1344	cheat.exe
Token: SeIncBasePriorityPrivilege	1344	cheat.exe
Token: 33	1344	cheat.exe
Token: SeIncBasePriorityPrivilege	1344	cheat.exe
Token: 33	1344	cheat.exe
Token: SeIncBasePriorityPrivilege	1344	cheat.exe
Token: 33	1344	cheat.exe
Token: SeIncBasePriorityPrivilege	1344	cheat.exe
Token: 33	1344	cheat.exe
Token: SeIncBasePriorityPrivilege	1344	cheat.exe
Token: 33	1344	cheat.exe
Token: SeIncBasePriorityPrivilege	1344	cheat.exe
Token: 33	1344	cheat.exe
Token: SeIncBasePriorityPrivilege	1344	cheat.exe
Token: 33	1344	cheat.exe
Token: SeIncBasePriorityPrivilege	1344	cheat.exe
Token: 33	1344	cheat.exe
Token: SeIncBasePriorityPrivilege	1344	cheat.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 1344	4736	1b6f1fe005004eb302cc536bdb4841e2224ca706a9e6ed04ebc7cb86c4bb6ebf.exe	78
PID 4736 wrote to memory of 1344	4736	1b6f1fe005004eb302cc536bdb4841e2224ca706a9e6ed04ebc7cb86c4bb6ebf.exe	78
PID 4736 wrote to memory of 1344	4736	1b6f1fe005004eb302cc536bdb4841e2224ca706a9e6ed04ebc7cb86c4bb6ebf.exe	78
PID 1344 wrote to memory of 3740	1344	cheat.exe	79
PID 1344 wrote to memory of 3740	1344	cheat.exe	79
PID 1344 wrote to memory of 3740	1344	cheat.exe	79
PID 3308 wrote to memory of 4632	3308	cmd.exe	85
PID 3308 wrote to memory of 4632	3308	cmd.exe	85
PID 3308 wrote to memory of 4632	3308	cmd.exe	85
PID 3956 wrote to memory of 1460	3956	cmd.exe	86
PID 3956 wrote to memory of 1460	3956	cmd.exe	86
PID 3956 wrote to memory of 1460	3956	cmd.exe	86
PID 928 wrote to memory of 3280	928	cmd.exe	92
PID 928 wrote to memory of 3280	928	cmd.exe	92
PID 928 wrote to memory of 3280	928	cmd.exe	92
PID 2232 wrote to memory of 1508	2232	cmd.exe	91
PID 2232 wrote to memory of 1508	2232	cmd.exe	91
PID 2232 wrote to memory of 1508	2232	cmd.exe	91
PID 108 wrote to memory of 2132	108	cmd.exe	97
PID 108 wrote to memory of 2132	108	cmd.exe	97
PID 108 wrote to memory of 2132	108	cmd.exe	97
PID 2500 wrote to memory of 4696	2500	cmd.exe	98
PID 2500 wrote to memory of 4696	2500	cmd.exe	98
PID 2500 wrote to memory of 4696	2500	cmd.exe	98
PID 4668 wrote to memory of 3328	4668	cmd.exe	103
PID 4668 wrote to memory of 3328	4668	cmd.exe	103
PID 4668 wrote to memory of 3328	4668	cmd.exe	103
PID 244 wrote to memory of 2380	244	cmd.exe	104
PID 244 wrote to memory of 2380	244	cmd.exe	104
PID 244 wrote to memory of 2380	244	cmd.exe	104
PID 4964 wrote to memory of 2656	4964	cmd.exe	109
PID 4964 wrote to memory of 2656	4964	cmd.exe	109
PID 4964 wrote to memory of 2656	4964	cmd.exe	109
PID 4852 wrote to memory of 3792	4852	cmd.exe	110
PID 4852 wrote to memory of 3792	4852	cmd.exe	110
PID 4852 wrote to memory of 3792	4852	cmd.exe	110
PID 4108 wrote to memory of 1964	4108	cmd.exe	115
PID 4108 wrote to memory of 1964	4108	cmd.exe	115
PID 4108 wrote to memory of 1964	4108	cmd.exe	115
PID 3552 wrote to memory of 3464	3552	cmd.exe	116
PID 3552 wrote to memory of 3464	3552	cmd.exe	116
PID 3552 wrote to memory of 3464	3552	cmd.exe	116
PID 5004 wrote to memory of 1192	5004	cmd.exe	121
PID 5004 wrote to memory of 1192	5004	cmd.exe	121
PID 5004 wrote to memory of 1192	5004	cmd.exe	121
PID 3080 wrote to memory of 1392	3080	cmd.exe	122
PID 3080 wrote to memory of 1392	3080	cmd.exe	122
PID 3080 wrote to memory of 1392	3080	cmd.exe	122
PID 1328 wrote to memory of 2428	1328	cmd.exe	127
PID 1328 wrote to memory of 2428	1328	cmd.exe	127
PID 1328 wrote to memory of 2428	1328	cmd.exe	127
PID 2040 wrote to memory of 1212	2040	cmd.exe	128
PID 2040 wrote to memory of 1212	2040	cmd.exe	128
PID 2040 wrote to memory of 1212	2040	cmd.exe	128
PID 4336 wrote to memory of 4128	4336	cmd.exe	133
PID 4336 wrote to memory of 4128	4336	cmd.exe	133
PID 4336 wrote to memory of 4128	4336	cmd.exe	133
PID 4948 wrote to memory of 5020	4948	cmd.exe	134
PID 4948 wrote to memory of 5020	4948	cmd.exe	134
PID 4948 wrote to memory of 5020	4948	cmd.exe	134
PID 1008 wrote to memory of 5116	1008	cmd.exe	139
PID 1008 wrote to memory of 5116	1008	cmd.exe	139
PID 1008 wrote to memory of 5116	1008	cmd.exe	139
PID 4816 wrote to memory of 1376	4816	cmd.exe	140

C:\Users\Admin\AppData\Local\Temp\1b6f1fe005004eb302cc536bdb4841e2224ca706a9e6ed04ebc7cb86c4bb6ebf.exe
C:\Users\Admin\AppData\Local\Temp\1b6f1fe005004eb302cc536bdb4841e2224ca706a9e6ed04ebc7cb86c4bb6ebf.exe bcdedit /c set shutdown /r readonly /f force /t 2
1⤵
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  "C:\Users\Admin\AppData\Local\Temp\cheat.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\cheat.exe" "cheat.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:928
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:108
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:244
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:3464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1424
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4364
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:912
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:3308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2092
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3052
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4632
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4496
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4868
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2368
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2500
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:244
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1616
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1720
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:5032
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1384
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3092
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3036
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:420
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2040
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3120
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2708
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3068
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4708
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4912
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1560
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1460
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:984
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3292
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4212
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1036
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2132
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2392
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3620
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2264
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4428
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2560
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4568
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3148
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4752
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4464
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3700
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2856
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2040
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3952
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3244
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4960
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3076
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1068
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4596
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3052
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4672
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1776
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3604
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1748
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1032
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4484
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4120
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3644
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2404
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4068
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:5004
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1624
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3116
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1920
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1916
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3556
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4352
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:764
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1684
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2336
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1984
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2424
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3876
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1488
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2396
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1764
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4248
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4336
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2732
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3644
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2216
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:5032
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2504
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1048
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3376
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1008
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3280
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:720
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:856
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4216
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2848
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3956
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4652
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1408
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3704
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2340
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2560
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4076
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3296
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4916
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3604
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1032
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3732
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2196
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1088
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2284
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4152
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3108
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3640
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1892
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2656
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:5104
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3084
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1748
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1044
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4744
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:680
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4816
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2804
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3092
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4896
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1916
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4484
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1848
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1008
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2232
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2160
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3812
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4868
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:968
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:912
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2940
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1732
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2888
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1412
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1880
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4660
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4352
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4824
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4852
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3948
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4124
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2904
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3596
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4560
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3616
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4064
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4604
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1612
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3604
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3952
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:456
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2964
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2196
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4956
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1680
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2368
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1048
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4752
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3552
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4684
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1472
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1792
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:5104
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2140
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1576
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:5096
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2004
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1364
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4680
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2804
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:5004
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4064
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1548
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1508
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:5044
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3448
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3772
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2232
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4376
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1872
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:5008
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:656
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4692
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2720
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1412
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\cheat.exe.log

Filesize
319B

MD5
e7df52bc2fea4cb49c9c749bd9f8d618

SHA1
fd956953e48f15d113f59be5e6a6534d32f2a25a

SHA256
65a906ff066056f5d93198115645da23ab4f880aad5d85f2fab41248b5831373

SHA512
538d0e3958b2b6a2d876e64ed70518aeba857b4effece13c930417754e2df23b612c7368bc4d8344bb9b10b721916d4ff2529cbac86142993170aa1d1918bae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cheat.exe

Filesize
23KB

MD5
c68fa9e0a6c46464ffc55536e04cd0cb

SHA1
46a01b1c1ed07b403704595b54da788f87758fba

SHA256
1b6f1fe005004eb302cc536bdb4841e2224ca706a9e6ed04ebc7cb86c4bb6ebf

SHA512
89c31eeba8ae22d34496584ddc4671e4b21f83ed54e16cd3e7f66fedd36dffa1915e7d2fbfcdf7cce4bf03d68cb77d53e7f03a6b42aa796bd35f506ce2952387

Download Submit
memory/1344-12-0x00000000745A0000-0x0000000074B51000-memory.dmp

Filesize
5.7MB

Download
memory/1344-14-0x00000000745A0000-0x0000000074B51000-memory.dmp

Filesize
5.7MB

Download
memory/1344-21-0x00000000745A0000-0x0000000074B51000-memory.dmp

Filesize
5.7MB

Download
memory/1344-24-0x00000000745A0000-0x0000000074B51000-memory.dmp

Filesize
5.7MB

Download
memory/4736-0-0x00000000745A1000-0x00000000745A2000-memory.dmp

Filesize
4KB

Download
memory/4736-1-0x00000000745A0000-0x0000000074B51000-memory.dmp

Filesize
5.7MB

Download
memory/4736-2-0x00000000745A0000-0x0000000074B51000-memory.dmp

Filesize
5.7MB

Download
memory/4736-13-0x00000000745A0000-0x0000000074B51000-memory.dmp

Filesize
5.7MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads