njrat | 7b85fd11662a1771d964d2db2fd5ed9ff8bc3d6a9360493c92d776393b0ab0d4

Analysis

max time kernel
899s
max time network
893s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
01/04/2025, 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

37KB
MD5

16a43eef020c4257477762921ac3af49
SHA1

70d882c8f1608cb5cffbd79b9529ea05d645e0d6
SHA256

7b85fd11662a1771d964d2db2fd5ed9ff8bc3d6a9360493c92d776393b0ab0d4
SHA512

d205775ab117470a18c8644b95d8fbf50c3c8c766b46eabaed1445db4e32b4bf60ae3ebb96fc6354176e17f77a505d1b7e2a242605a597e326af19b4723840f8
SSDEEP

384:Dq+6WIiejtCVLO309Qmykrt4QdqMjf+vWEWYrAF+rMRTyN/0L+EcoinblneHQM3o:VHdGdkrOGb+eE7rM+rMRa8NuXJt

Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

26.215.185.49:5552

Mutex

52391190f1a4711b14e18998ba3c3bd4

Attributes

reg_key
52391190f1a4711b14e18998ba3c3bd4
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
904	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\52391190f1a4711b14e18998ba3c3bd4.exe	test.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\52391190f1a4711b14e18998ba3c3bd4.exe	test.exe

Executes dropped EXE 64 IoCs

pid	Process
2496	test.exe
3316	test.exe
3468	test.exe
2264	test.exe
1400	test.exe
224	test.exe
6040	test.exe
5196	test.exe
3248	test.exe
1260	test.exe
4076	test.exe
2364	test.exe
2820	test.exe
6120	test.exe
3024	test.exe
5608	test.exe
5684	test.exe
5020	test.exe
2224	test.exe
4832	test.exe
4820	test.exe
5568	test.exe
5512	test.exe
492	test.exe
5768	test.exe
2244	test.exe
3552	test.exe
1136	test.exe
5896	test.exe
2688	test.exe
2496	test.exe
5000	test.exe
4924	test.exe
3468	test.exe
224	test.exe
940	test.exe
3912	test.exe
3400	test.exe
3916	test.exe
3052	test.exe
3768	test.exe
4584	test.exe
5028	test.exe
4000	test.exe
980	test.exe
5528	test.exe
3112	test.exe
3360	test.exe
2104	test.exe
2272	test.exe
5700	test.exe
6060	test.exe
1940	test.exe
2316	test.exe
1856	test.exe
4772	test.exe
4768	test.exe
5312	test.exe
128	test.exe
1048	test.exe
1200	test.exe
928	test.exe
1908	test.exe
4932	test.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2081498128-3109241912-2948996266-1000\Software\Microsoft\Windows\CurrentVersion\Run\52391190f1a4711b14e18998ba3c3bd4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\test.exe\" .."	test.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\52391190f1a4711b14e18998ba3c3bd4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\test.exe\" .."	test.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4124	test.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe
Token: SeIncBasePriorityPrivilege	4124	test.exe
Token: 33	4124	test.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 904	4124	test.exe	82
PID 4124 wrote to memory of 904	4124	test.exe	82
PID 4124 wrote to memory of 904	4124	test.exe	82
PID 2416 wrote to memory of 2496	2416	cmd.exe	88
PID 2416 wrote to memory of 2496	2416	cmd.exe	88
PID 2416 wrote to memory of 2496	2416	cmd.exe	88
PID 2036 wrote to memory of 3316	2036	cmd.exe	89
PID 2036 wrote to memory of 3316	2036	cmd.exe	89
PID 2036 wrote to memory of 3316	2036	cmd.exe	89
PID 1216 wrote to memory of 3468	1216	cmd.exe	94
PID 1216 wrote to memory of 3468	1216	cmd.exe	94
PID 1216 wrote to memory of 3468	1216	cmd.exe	94
PID 4932 wrote to memory of 2264	4932	cmd.exe	95
PID 4932 wrote to memory of 2264	4932	cmd.exe	95
PID 4932 wrote to memory of 2264	4932	cmd.exe	95
PID 5108 wrote to memory of 1400	5108	cmd.exe	100
PID 5108 wrote to memory of 1400	5108	cmd.exe	100
PID 5108 wrote to memory of 1400	5108	cmd.exe	100
PID 5348 wrote to memory of 224	5348	cmd.exe	101
PID 5348 wrote to memory of 224	5348	cmd.exe	101
PID 5348 wrote to memory of 224	5348	cmd.exe	101
PID 3720 wrote to memory of 6040	3720	cmd.exe	106
PID 3720 wrote to memory of 6040	3720	cmd.exe	106
PID 3720 wrote to memory of 6040	3720	cmd.exe	106
PID 4576 wrote to memory of 5196	4576	cmd.exe	107
PID 4576 wrote to memory of 5196	4576	cmd.exe	107
PID 4576 wrote to memory of 5196	4576	cmd.exe	107
PID 3800 wrote to memory of 3248	3800	cmd.exe	112
PID 3800 wrote to memory of 3248	3800	cmd.exe	112
PID 3800 wrote to memory of 3248	3800	cmd.exe	112
PID 2404 wrote to memory of 1260	2404	cmd.exe	113
PID 2404 wrote to memory of 1260	2404	cmd.exe	113
PID 2404 wrote to memory of 1260	2404	cmd.exe	113
PID 4248 wrote to memory of 4076	4248	cmd.exe	118
PID 4248 wrote to memory of 4076	4248	cmd.exe	118
PID 4248 wrote to memory of 4076	4248	cmd.exe	118
PID 3748 wrote to memory of 2364	3748	cmd.exe	119
PID 3748 wrote to memory of 2364	3748	cmd.exe	119
PID 3748 wrote to memory of 2364	3748	cmd.exe	119
PID 852 wrote to memory of 2820	852	cmd.exe	124
PID 852 wrote to memory of 2820	852	cmd.exe	124
PID 852 wrote to memory of 2820	852	cmd.exe	124
PID 3788 wrote to memory of 6120	3788	cmd.exe	125
PID 3788 wrote to memory of 6120	3788	cmd.exe	125
PID 3788 wrote to memory of 6120	3788	cmd.exe	125
PID 324 wrote to memory of 3024	324	cmd.exe	130
PID 324 wrote to memory of 3024	324	cmd.exe	130
PID 324 wrote to memory of 3024	324	cmd.exe	130
PID 2116 wrote to memory of 5608	2116	cmd.exe	131
PID 2116 wrote to memory of 5608	2116	cmd.exe	131
PID 2116 wrote to memory of 5608	2116	cmd.exe	131
PID 5500 wrote to memory of 5684	5500	cmd.exe	136
PID 5500 wrote to memory of 5684	5500	cmd.exe	136
PID 5500 wrote to memory of 5684	5500	cmd.exe	136
PID 4332 wrote to memory of 5020	4332	cmd.exe	137
PID 4332 wrote to memory of 5020	4332	cmd.exe	137
PID 4332 wrote to memory of 5020	4332	cmd.exe	137
PID 4260 wrote to memory of 2224	4260	cmd.exe	142
PID 4260 wrote to memory of 2224	4260	cmd.exe	142
PID 4260 wrote to memory of 2224	4260	cmd.exe	142
PID 4884 wrote to memory of 4832	4884	cmd.exe	143
PID 4884 wrote to memory of 4832	4884	cmd.exe	143
PID 4884 wrote to memory of 4832	4884	cmd.exe	143
PID 6128 wrote to memory of 4820	6128	cmd.exe	148

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\test.exe" "test.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:5348
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:324
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:5500
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:5684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:584
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:6128
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2256
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2672
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:960
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5476
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1836
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:712
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2088
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3396
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5736
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5128
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2416
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4376
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1640
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5348
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3056
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2592
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3720
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5388
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1864
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:420
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4436
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4308
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3744
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3032
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:3360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4224
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:3112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5208
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1348
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2352
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:6060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4852
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5836
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:6128
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1840
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3264
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5264
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5800
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:5312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2780
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1136
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5552
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4276
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5260
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5332
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - Executes dropped EXE
  PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2512
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2184
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:240
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4088
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2296
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4372
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3052
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:844
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:360
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:6120
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4000
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4056
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5808
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3300
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3352
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4576
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5860
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1672
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:768
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3440
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5368
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4552
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2416
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3124
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3412
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3796
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5112
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2728
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2112
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3064
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3760
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:984
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2184
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5640
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3920
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5784
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5224
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5748
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4716
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4912
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5508
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2136
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5644
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4456
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5236
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3272
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3240
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4904
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2744
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2240
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4360
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2216
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5244
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:72

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2416
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3124
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5196
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5008
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1408
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5220
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4560
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:348
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:6080
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1924
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3760
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4680
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:240
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4056
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2304
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5628
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5336
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4820
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:928
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:852
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2800
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2200
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5804
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:6084
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1932
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5088
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1352
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1904
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4496
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1112
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2512
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2524
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1668
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1772
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3476
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2284
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:488
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5472
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:6076
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5708
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1556
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4992
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:472
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5732
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3728
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:668
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4944
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5832
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4504
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5180
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4364
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5292
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2104
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3780
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4916
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3804
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4424
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5244
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2840
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5824
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5428
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3296
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4736
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5308
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:6048
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:6124
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4784
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3132
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3976
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5196
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3552
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1408
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5240
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4932
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:6036
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3112
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2776
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3128
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4260
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1028
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3408
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4088
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4092
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1532
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1552
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1836
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5524
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3956
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2404
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2700
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:656
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2736
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5672
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5268
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2932
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:968
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4904
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4188
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2676
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:436
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4896
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4268
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4316
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3976
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1788
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5196
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3912
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5432
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3536
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:6036
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3540
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4044
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3556
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:928
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4308
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3444
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4252
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5620
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3100
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5128
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1836
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5336
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2588
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5612
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:656
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5452
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1620
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4664
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5084
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4904
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2640
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2336
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:6080
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3268
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:6064
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2800
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5072
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:568
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4768
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4436
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3052
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:6032
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:6060
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:6140
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3556
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5140
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3444
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5808
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2184
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4456
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5276
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3148
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3000
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5600
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2588
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1864
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3360
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5532
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:6008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3884
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5792
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2560
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5400
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1860
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2348
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1112
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:780
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3136
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1556
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:6080
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5744
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2392
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3476
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3412
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3672
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:6128
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3252
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2340
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4580
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4572
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5588
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2236
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5888
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1784
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3264
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1636
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1884
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3260
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4192
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5728
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2332
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1548
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:656
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5612
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2244
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3144
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2068
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5084
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4564
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4828
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3324
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:784
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3136
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5000
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1164
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3036
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:6064
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3312
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4440
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3476
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2692
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:6128
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4872
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1520
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5476
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3540
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:492
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2236
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5892
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5800
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3264
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5560
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5472
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5336
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4276
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1048
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1420
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2956
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5340
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1040
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4524
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5508
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5084
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5628
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5576
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1144
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4544
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2924
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1536
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3796
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3964
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3384
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4868
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5788
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:6036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5708
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5804
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:584
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3648
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:820
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3368
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4260
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2236
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2508
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1000
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2416
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4792
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4224
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5536
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5568
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2752
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5600
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:864
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2948
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4256
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3360
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3788
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:668
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5084
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:968
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5176
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5320
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:6016
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1520
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4212
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4672
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2828
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1484
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2392
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3388
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2156
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3476
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5804
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5172
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5644
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2532
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:996
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3784
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5296
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1136
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3016
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2416
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3264
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2004
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2660
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:428
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3124
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5772
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3688
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5144
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3344
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2344
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1488
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4984
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1496
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5500
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:6060
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5264
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1676
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:224
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2084
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1920
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4868
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3328
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5244
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1680
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4208
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:820
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2264
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2404
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5476
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:960
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5588
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3100
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5368
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:6120
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4724
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4516
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:6020
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1180
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3988
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:780
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4836
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1132
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1536
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5052
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4196
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2932
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5200
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1324
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:756
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3048
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3504
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2212
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4460
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:608
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:908
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5024
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:844
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5532
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3016
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3984
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3216
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1704
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5792
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4308
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1420
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5160
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5516
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4452
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5192
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3148
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4848
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3652
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2012
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5576
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5380
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1992
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1368
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5468
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3292
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2244
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4076
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5400
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:1000
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4736
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:4596
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3804
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2264
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:5256
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:720
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:928
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe ..
  2⤵
  PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:3044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.exe" ..
1⤵
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\test.exe.log

Filesize
319B

MD5
2a0834560ed3770fc33d7a42f8229722

SHA1
c8c85f989e7a216211cf9e4ce90b0cc95354aa53

SHA256
8aa2d836004258f1a1195dc4a96215b685aed0c46a261a2860625d424e9402b6

SHA512
c5b64d84e57eb8cc387b5feedf7719f1f7ae21f6197169f5f73bc86deddb538b9af3c9952c94c4f69ae956e1656d11ab7441c292d2d850a4d2aaa9ec678f8e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
37KB

MD5
16a43eef020c4257477762921ac3af49

SHA1
70d882c8f1608cb5cffbd79b9529ea05d645e0d6

SHA256
7b85fd11662a1771d964d2db2fd5ed9ff8bc3d6a9360493c92d776393b0ab0d4

SHA512
d205775ab117470a18c8644b95d8fbf50c3c8c766b46eabaed1445db4e32b4bf60ae3ebb96fc6354176e17f77a505d1b7e2a242605a597e326af19b4723840f8

Download Submit
memory/2496-4-0x00007FFDDF000000-0x00007FFDDF209000-memory.dmp

Filesize
2.0MB

Download
memory/3316-5-0x00007FFDDF000000-0x00007FFDDF209000-memory.dmp

Filesize
2.0MB

Download
memory/4124-0-0x00007FFDDF000000-0x00007FFDDF209000-memory.dmp

Filesize
2.0MB

Download
memory/4124-6-0x00007FFDDF000000-0x00007FFDDF209000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads