c50488a31b6ce8d0ddd65b57bd27cf8c1bc86ad0382476f813c33083c5575d6f

Resubmissions

31/03/2025, 16:15

250331-tqqrrawlt6 10

30/09/2021, 21:22

210930-z7w8raaefn 10

Analysis

max time kernel
14s
max time network
121s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
31/03/2025, 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
Size

31KB
MD5

4adad151f3c235616ce57238c32b4b34
SHA1

9d05a045e0ce402ff257d799921a9557a2569535
SHA256

c50488a31b6ce8d0ddd65b57bd27cf8c1bc86ad0382476f813c33083c5575d6f
SHA512

34b9607899e79f6e381c648f6afde801aed03e4041c9affc13d4855032d139f5164b7f2c4adfea56366d3365dd758fe9c86110b2148cc0c744f04945fc79a366
SSDEEP

768:RPwoqkZlH/azx1+ta+q3U97v8+QmIDUu0tiJYDj:s4qSp7QVkQSj

Score

8^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4136	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33aef9319e7f69a68e51dc4a67780130.exe	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33aef9319e7f69a68e51dc4a67780130.exe	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\33aef9319e7f69a68e51dc4a67780130 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe\" .."	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\33aef9319e7f69a68e51dc4a67780130 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe\" .."	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
17	0.tcp.ngrok.io
21	0.tcp.ngrok.io
54	0.tcp.ngrok.io

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
Token: SeDebugPrivilege	5000	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
Token: SeDebugPrivilege	4764	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
Token: SeDebugPrivilege	3156	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
Token: SeDebugPrivilege	4872	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
Token: SeDebugPrivilege	2440	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
Token: SeDebugPrivilege	3268	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
Token: SeDebugPrivilege	1552	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
Token: 33	5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
Token: SeIncBasePriorityPrivilege	5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
Token: SeDebugPrivilege	4532	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
Token: SeDebugPrivilege	5388	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 5616 wrote to memory of 4136	5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe	87
PID 5616 wrote to memory of 4136	5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe	87
PID 5616 wrote to memory of 4136	5616	C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe	87
PID 1524 wrote to memory of 5000	1524	cmd.exe	94
PID 1524 wrote to memory of 5000	1524	cmd.exe	94
PID 1524 wrote to memory of 5000	1524	cmd.exe	94
PID 1256 wrote to memory of 4764	1256	cmd.exe	95
PID 1256 wrote to memory of 4764	1256	cmd.exe	95
PID 1256 wrote to memory of 4764	1256	cmd.exe	95
PID 4932 wrote to memory of 3156	4932	cmd.exe	100
PID 4932 wrote to memory of 3156	4932	cmd.exe	100
PID 4932 wrote to memory of 3156	4932	cmd.exe	100
PID 4880 wrote to memory of 4872	4880	cmd.exe	101
PID 4880 wrote to memory of 4872	4880	cmd.exe	101
PID 4880 wrote to memory of 4872	4880	cmd.exe	101
PID 3256 wrote to memory of 2440	3256	cmd.exe	214
PID 3256 wrote to memory of 2440	3256	cmd.exe	214
PID 3256 wrote to memory of 2440	3256	cmd.exe	214
PID 4760 wrote to memory of 3268	4760	cmd.exe	324
PID 4760 wrote to memory of 3268	4760	cmd.exe	324
PID 4760 wrote to memory of 3268	4760	cmd.exe	324
PID 5500 wrote to memory of 1552	5500	cmd.exe	117
PID 5500 wrote to memory of 1552	5500	cmd.exe	117
PID 5500 wrote to memory of 1552	5500	cmd.exe	117
PID 4996 wrote to memory of 4532	4996	cmd.exe	118
PID 4996 wrote to memory of 4532	4996	cmd.exe	118
PID 4996 wrote to memory of 4532	4996	cmd.exe	118
PID 388 wrote to memory of 5388	388	cmd.exe	123
PID 388 wrote to memory of 5388	388	cmd.exe	123
PID 388 wrote to memory of 5388	388	cmd.exe	123
PID 5004 wrote to memory of 2060	5004	cmd.exe	128
PID 5004 wrote to memory of 2060	5004	cmd.exe	128
PID 5004 wrote to memory of 2060	5004	cmd.exe	128

C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe bcdedit /c set shutdown /r readonly /f force /t 2
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5616
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" "C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:5500
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:388
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1596
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4080
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4744
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4820
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:3424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4264
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4372
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5376
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5436
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1304
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5764
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1924
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5968
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2296
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2868
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5896
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:3788
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4784
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2848
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1164
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:804
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1016
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5216
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2864
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1148
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5040
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:6040
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4888
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4840
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4352
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:3656
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4292
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2440
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4744
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4516
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:464
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4904
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:3692
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1720
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4040
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:3024
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:3976
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2296
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:636
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:3256
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5444
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4748
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5676
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4940
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1368
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:3116
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4624
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:3020
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1856
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:3788
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2120
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2948
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4888
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5828
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:308
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4088
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2380
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:3868
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5620
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2616
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4788
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1920
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:6048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2504
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:924
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5292
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3268
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:636
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:684
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4352
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1504
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5432
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:3892
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4692
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2388
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1816
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4312
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5568
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5392
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5548
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1136
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1852
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:444
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2108
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5084
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:6068
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2584
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1612
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5340
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:428
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4864
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:6096
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:3076
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5332
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4272
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2320
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:3340
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:3960
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5240
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4960
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1720
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4860
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4072
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5500
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1628
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2204
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:408
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2916
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5652
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4604
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5972
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2236
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:824
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1768
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1952
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4624
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4672
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:3836
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1304
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:716
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1552
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2320
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5028
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2040
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4516
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5512
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5572
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2900
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5304
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2396
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4612
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2200
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5600
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2832
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:428
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1172
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:1064
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:3616
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4016
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:3724
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4788
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5408
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:3604
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2576
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:3076
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2224
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:2392
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:5716
- C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe
  C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe ..
  2⤵
  PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe" ..
1⤵
PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\C50488A31B6CE8D0DDD65B57BD27CF8C1BC86AD038247.exe.log

Filesize
319B

MD5
cdab7719c71b2844a3e7ff9e41894b8a

SHA1
8e6e0e55695e468eb3c237f21340c9d30cab922c

SHA256
e84a57ed5465aaca393476f6271a2413dddad154cbae40827c4639bfc0b3e3eb

SHA512
ec92e8fc3ce02336eea401f9db823ac0a2ad87bb41130f493e72f3c5ca100a461d6296a710afcc93e1fe1fc8630c5e0029e17f58583520077a3c80ad794d9dc9

Download Submit
memory/5000-3-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/5000-4-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/5000-5-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/5000-11-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/5616-0-0x0000000074772000-0x0000000074773000-memory.dmp

Filesize
4KB

Download
memory/5616-1-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/5616-2-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/5616-6-0x0000000074772000-0x0000000074773000-memory.dmp

Filesize
4KB

Download
memory/5616-7-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/5616-8-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download