njrat | 1b6f1fe005004eb302cc536bdb4841e2224ca706a9e6ed04ebc7cb86c4bb6ebf

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b6f1fe005004eb302cc536bdb4841e2224ca706a9e6ed04ebc7cb86c4bb6ebf.exe
Size

23KB
MD5

c68fa9e0a6c46464ffc55536e04cd0cb
SHA1

46a01b1c1ed07b403704595b54da788f87758fba
SHA256

1b6f1fe005004eb302cc536bdb4841e2224ca706a9e6ed04ebc7cb86c4bb6ebf
SHA512

89c31eeba8ae22d34496584ddc4671e4b21f83ed54e16cd3e7f66fedd36dffa1915e7d2fbfcdf7cce4bf03d68cb77d53e7f03a6b42aa796bd35f506ce2952387
SSDEEP

384:zY324bcgPiJLQrfARGSRUJsbY6ZgvSMBD3t8mRvR6JZlbw8hqIusZzZwzCFy:cL2s+tRyRpcnuHGU

Score

10^/10

njrat defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4832	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	1b6f1fe005004eb302cc536bdb4841e2224ca706a9e6ed04ebc7cb86c4bb6ebf.exe

Executes dropped EXE 64 IoCs

pid	Process
4472	cheat.exe
1000	cheat.exe
1496	cheat.exe
4880	cheat.exe
856	cheat.exe
4576	cheat.exe
4376	cheat.exe
2544	cheat.exe
4420	cheat.exe
2492	cheat.exe
4272	cheat.exe
1172	cheat.exe
5016	cheat.exe
2324	cheat.exe
2420	cheat.exe
2824	cheat.exe
1828	cheat.exe
4824	cheat.exe
1868	cheat.exe
1352	cheat.exe
1036	cheat.exe
4628	cheat.exe
644	cheat.exe
3360	cheat.exe
1764	cheat.exe
3720	cheat.exe
1628	cheat.exe
396	cheat.exe
3328	cheat.exe
4020	cheat.exe
4396	cheat.exe
3628	cheat.exe
412	cheat.exe
4992	cheat.exe
5056	cheat.exe
2116	cheat.exe
4936	cheat.exe
4704	cheat.exe
4944	cheat.exe
5096	cheat.exe
780	cheat.exe
4092	cheat.exe
2404	cheat.exe
2828	cheat.exe
5012	cheat.exe
2832	cheat.exe
4752	cheat.exe
1284	cheat.exe
2652	cheat.exe
2272	cheat.exe
2384	cheat.exe
2684	cheat.exe
3496	cheat.exe
3292	cheat.exe
964	cheat.exe
4644	cheat.exe
3104	cheat.exe
3932	cheat.exe
1444	cheat.exe
4880	cheat.exe
2500	cheat.exe
4376	cheat.exe
3868	cheat.exe
4604	cheat.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\efea00bfd82100063e3ba5f5434189d9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cheat.exe\" .."	cheat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\efea00bfd82100063e3ba5f5434189d9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cheat.exe\" .."	cheat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
48	4.tcp.ngrok.io
83	4.tcp.ngrok.io
96	4.tcp.ngrok.io
30	4.tcp.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	4472	cheat.exe
Token: 33	4472	cheat.exe
Token: SeIncBasePriorityPrivilege	4472	cheat.exe
Token: 33	4472	cheat.exe
Token: SeIncBasePriorityPrivilege	4472	cheat.exe
Token: 33	4472	cheat.exe
Token: SeIncBasePriorityPrivilege	4472	cheat.exe
Token: 33	4472	cheat.exe
Token: SeIncBasePriorityPrivilege	4472	cheat.exe
Token: 33	4472	cheat.exe
Token: SeIncBasePriorityPrivilege	4472	cheat.exe
Token: 33	4472	cheat.exe
Token: SeIncBasePriorityPrivilege	4472	cheat.exe
Token: 33	4472	cheat.exe
Token: SeIncBasePriorityPrivilege	4472	cheat.exe
Token: 33	4472	cheat.exe
Token: SeIncBasePriorityPrivilege	4472	cheat.exe
Token: 33	4472	cheat.exe
Token: SeIncBasePriorityPrivilege	4472	cheat.exe
Token: 33	4472	cheat.exe
Token: SeIncBasePriorityPrivilege	4472	cheat.exe
Token: 33	4472	cheat.exe
Token: SeIncBasePriorityPrivilege	4472	cheat.exe
Token: 33	4472	cheat.exe
Token: SeIncBasePriorityPrivilege	4472	cheat.exe
Token: 33	4472	cheat.exe
Token: SeIncBasePriorityPrivilege	4472	cheat.exe
Token: 33	4472	cheat.exe
Token: SeIncBasePriorityPrivilege	4472	cheat.exe
Token: 33	4472	cheat.exe
Token: SeIncBasePriorityPrivilege	4472	cheat.exe
Token: 33	4472	cheat.exe
Token: SeIncBasePriorityPrivilege	4472	cheat.exe
Token: 33	4472	cheat.exe
Token: SeIncBasePriorityPrivilege	4472	cheat.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 4472	3456	1b6f1fe005004eb302cc536bdb4841e2224ca706a9e6ed04ebc7cb86c4bb6ebf.exe	92
PID 3456 wrote to memory of 4472	3456	1b6f1fe005004eb302cc536bdb4841e2224ca706a9e6ed04ebc7cb86c4bb6ebf.exe	92
PID 3456 wrote to memory of 4472	3456	1b6f1fe005004eb302cc536bdb4841e2224ca706a9e6ed04ebc7cb86c4bb6ebf.exe	92
PID 4472 wrote to memory of 4832	4472	cheat.exe	97
PID 4472 wrote to memory of 4832	4472	cheat.exe	97
PID 4472 wrote to memory of 4832	4472	cheat.exe	97
PID 216 wrote to memory of 1000	216	cmd.exe	103
PID 216 wrote to memory of 1000	216	cmd.exe	103
PID 216 wrote to memory of 1000	216	cmd.exe	103
PID 220 wrote to memory of 1496	220	cmd.exe	104
PID 220 wrote to memory of 1496	220	cmd.exe	104
PID 220 wrote to memory of 1496	220	cmd.exe	104
PID 4524 wrote to memory of 4880	4524	cmd.exe	109
PID 4524 wrote to memory of 4880	4524	cmd.exe	109
PID 4524 wrote to memory of 4880	4524	cmd.exe	109
PID 1652 wrote to memory of 856	1652	cmd.exe	110
PID 1652 wrote to memory of 856	1652	cmd.exe	110
PID 1652 wrote to memory of 856	1652	cmd.exe	110
PID 3484 wrote to memory of 4576	3484	cmd.exe	115
PID 3484 wrote to memory of 4576	3484	cmd.exe	115
PID 3484 wrote to memory of 4576	3484	cmd.exe	115
PID 2628 wrote to memory of 4376	2628	cmd.exe	116
PID 2628 wrote to memory of 4376	2628	cmd.exe	116
PID 2628 wrote to memory of 4376	2628	cmd.exe	116
PID 4740 wrote to memory of 2544	4740	cmd.exe	121
PID 4740 wrote to memory of 2544	4740	cmd.exe	121
PID 4740 wrote to memory of 2544	4740	cmd.exe	121
PID 4840 wrote to memory of 4420	4840	cmd.exe	122
PID 4840 wrote to memory of 4420	4840	cmd.exe	122
PID 4840 wrote to memory of 4420	4840	cmd.exe	122
PID 2936 wrote to memory of 2492	2936	cmd.exe	127
PID 2936 wrote to memory of 2492	2936	cmd.exe	127
PID 2936 wrote to memory of 2492	2936	cmd.exe	127
PID 676 wrote to memory of 4272	676	cmd.exe	128
PID 676 wrote to memory of 4272	676	cmd.exe	128
PID 676 wrote to memory of 4272	676	cmd.exe	128
PID 3284 wrote to memory of 1172	3284	cmd.exe	133
PID 3284 wrote to memory of 1172	3284	cmd.exe	133
PID 3284 wrote to memory of 1172	3284	cmd.exe	133
PID 4812 wrote to memory of 5016	4812	cmd.exe	134
PID 4812 wrote to memory of 5016	4812	cmd.exe	134
PID 4812 wrote to memory of 5016	4812	cmd.exe	134
PID 1476 wrote to memory of 2324	1476	cmd.exe	139
PID 1476 wrote to memory of 2324	1476	cmd.exe	139
PID 1476 wrote to memory of 2324	1476	cmd.exe	139
PID 4744 wrote to memory of 2420	4744	cmd.exe	140
PID 4744 wrote to memory of 2420	4744	cmd.exe	140
PID 4744 wrote to memory of 2420	4744	cmd.exe	140
PID 3496 wrote to memory of 2824	3496	cmd.exe	145
PID 3496 wrote to memory of 2824	3496	cmd.exe	145
PID 3496 wrote to memory of 2824	3496	cmd.exe	145
PID 2572 wrote to memory of 1828	2572	cmd.exe	146
PID 2572 wrote to memory of 1828	2572	cmd.exe	146
PID 2572 wrote to memory of 1828	2572	cmd.exe	146
PID 1468 wrote to memory of 4824	1468	cmd.exe	151
PID 1468 wrote to memory of 4824	1468	cmd.exe	151
PID 1468 wrote to memory of 4824	1468	cmd.exe	151
PID 1448 wrote to memory of 1868	1448	cmd.exe	152
PID 1448 wrote to memory of 1868	1448	cmd.exe	152
PID 1448 wrote to memory of 1868	1448	cmd.exe	152
PID 3556 wrote to memory of 1352	3556	cmd.exe	157
PID 3556 wrote to memory of 1352	3556	cmd.exe	157
PID 3556 wrote to memory of 1352	3556	cmd.exe	157
PID 1848 wrote to memory of 1036	1848	cmd.exe	158

C:\Users\Admin\AppData\Local\Temp\1b6f1fe005004eb302cc536bdb4841e2224ca706a9e6ed04ebc7cb86c4bb6ebf.exe
"C:\Users\Admin\AppData\Local\Temp\1b6f1fe005004eb302cc536bdb4841e2224ca706a9e6ed04ebc7cb86c4bb6ebf.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  "C:\Users\Admin\AppData\Local\Temp\cheat.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\cheat.exe" "cheat.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:216
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:220
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:2492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:676
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3912
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3648
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4420
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2032
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3816
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:3720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2492
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3088
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4236
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1452
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4884
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4432
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:208
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2272
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4980
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2684
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:5104
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:708
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2816
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4716
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3816
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2936
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4036
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:396
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3212
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3628
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4840
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:5056
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3048
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4164
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1300
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4704
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1856
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4980
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:228
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2224
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3560
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4524
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4764
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:780
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4828
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1036
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - Executes dropped EXE
  PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2572
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3332
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3760
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4180
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3764
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3952
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1800
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:228
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4440
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2408
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3384
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2604
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2728
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4512
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1568
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4676
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:784
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4616
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:396
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:964
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2292
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1740
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4848
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1712
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1308
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4212
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2604
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2728
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3624
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4240
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1504
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4236
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4884
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:5104
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4252
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:708
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2652
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3212
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3548
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4956
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1880
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2004
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1036
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2108
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3720
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:656
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1988
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3080
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4092
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1084
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1944
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3952
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4764
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2252
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2268
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2356
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4936
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:640
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2272
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2544
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3088
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:784
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3456
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1764
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2224
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2880
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1464
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:628
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3440
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3932
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4740
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4444
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3328
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:5096
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4280
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1800
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3628
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4372
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3428
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1956
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:5064
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4488
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4572
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:5012
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:708
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4484
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2060
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3668
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4956
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4124
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:644
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3896
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3048
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2952
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:556
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1524
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2096
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2732
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1944
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1952
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4236
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4616
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1084
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3816
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2504
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2648
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:376
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1036
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4636
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4156
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3080
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2116
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4256
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2408
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3764
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1968
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:964
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4820
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2544
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2572
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:748
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4480
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3992
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3936
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1544
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4704
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:376
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4636
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4804
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2056
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3080
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:740
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4136
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:5104
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2204
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:964
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:5004
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2652
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4500
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2436
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2740
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:644
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1308
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3428
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3500
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1636
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4676
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4984
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4876
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2960
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3708
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3196
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4212
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1540
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2544
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4344
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:872
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1144
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3332
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1596
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4520
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4652
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2828
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2796
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4428
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3760
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:748
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:5044
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2408
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3636
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2824
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4136
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:620
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1032
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1136
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2544
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3788
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:456
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:872
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2252
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1016
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3608
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3624
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4932
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4124
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2464
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3564
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1856
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4436
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2408
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3340
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3560
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:532
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3868
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:216
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4116
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4408
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1864
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:3528
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:2108
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:1476
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:2172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:4200
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cheat.exe" ..
1⤵
PID:780
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  C:\Users\Admin\AppData\Local\Temp\cheat.exe ..
  2⤵
  PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\cheat.exe.log

Filesize
319B

MD5
91046f2e147049d3e53cd9bf9d4d95ed

SHA1
228e347d062840b2edcbd16904475aacad414c62

SHA256
ea92f8291b86440b98162409b1f9f04470455c22be01a1480ea5ebc37eb168dc

SHA512
071a9c6e17760a726c3a4519cf8006f36f17f50946af0129e0e1f3e480f6b7fcc804a7614b044247f2420a8b2b46bec5b8493e4869bb918bc7c0f6aa1346c3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cheat.exe

Filesize
23KB

MD5
c68fa9e0a6c46464ffc55536e04cd0cb

SHA1
46a01b1c1ed07b403704595b54da788f87758fba

SHA256
1b6f1fe005004eb302cc536bdb4841e2224ca706a9e6ed04ebc7cb86c4bb6ebf

SHA512
89c31eeba8ae22d34496584ddc4671e4b21f83ed54e16cd3e7f66fedd36dffa1915e7d2fbfcdf7cce4bf03d68cb77d53e7f03a6b42aa796bd35f506ce2952387

Download Submit
memory/3456-0-0x0000000074B02000-0x0000000074B03000-memory.dmp

Filesize
4KB

Download
memory/3456-1-0x0000000074B00000-0x00000000750B1000-memory.dmp

Filesize
5.7MB

Download
memory/3456-2-0x0000000074B00000-0x00000000750B1000-memory.dmp

Filesize
5.7MB

Download
memory/3456-13-0x0000000074B00000-0x00000000750B1000-memory.dmp

Filesize
5.7MB

Download
memory/4472-12-0x0000000074B00000-0x00000000750B1000-memory.dmp

Filesize
5.7MB

Download
memory/4472-14-0x0000000074B00000-0x00000000750B1000-memory.dmp

Filesize
5.7MB

Download
memory/4472-21-0x0000000074B00000-0x00000000750B1000-memory.dmp

Filesize
5.7MB

Download
memory/4472-24-0x0000000074B00000-0x00000000750B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads