njrat | be045197a762a6d773cd7ddbe97b3a2e5ddac683c271c080fe75cdf03d87b98a

Analysis

max time kernel
729s
max time network
742s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
01/04/2025, 06:22 UTC

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Server.exe
Size

37KB
MD5

69a63826396394dda992a5031f523b11
SHA1

6ca89b77eaa65d9c970d0071dc2677f852517fc5
SHA256

be045197a762a6d773cd7ddbe97b3a2e5ddac683c271c080fe75cdf03d87b98a
SHA512

aaba1ee3c874a2bd0ca8da8dd5ffa44f57209ac6ed97b44f7ca689b2dbcc45af62256a12edb360e18ea0165c386dff1f7dabf7ffd43b6d3fd6ed2d4eb67c4f1c
SSDEEP

384:EWqBkiyjnDNGRn5IyUvapIrPbh+/VsIt6xrAF+rMRTyN/0L+EcoinblneHQM3epd:x35M5jUvairANsIQxrM+rMRa8NuiGt

Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

26.ip.gl.ply.gg:55609

Mutex

e70d52b52cebf51e595b7b1265a8cbe7

Attributes

reg_key
e70d52b52cebf51e595b7b1265a8cbe7
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2776	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\Control Panel\International\Geo\Nation	ssr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\Control Panel\International\Geo\Nation	Server.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e70d52b52cebf51e595b7b1265a8cbe7.exe	ssr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e70d52b52cebf51e595b7b1265a8cbe7.exe	ssr.exe

Executes dropped EXE 64 IoCs

pid	Process
2012	ssr.exe
2448	ssr.exe
972	ssr.exe
3836	ssr.exe
5064	ssr.exe
2476	ssr.exe
5192	ssr.exe
4132	ssr.exe
5476	ssr.exe
4472	ssr.exe
6076	ssr.exe
5856	ssr.exe
5940	ssr.exe
4516	ssr.exe
4860	ssr.exe
6024	ssr.exe
5236	ssr.exe
3944	ssr.exe
3488	ssr.exe
548	ssr.exe
1096	ssr.exe
4476	ssr.exe
1044	ssr.exe
1540	ssr.exe
916	ssr.exe
3840	ssr.exe
5148	ssr.exe
4384	ssr.exe
5092	ssr.exe
2728	ssr.exe
2680	ssr.exe
3620	ssr.exe
5068	ssr.exe
3852	ssr.exe
6012	ssr.exe
5072	ssr.exe
3968	ssr.exe
3680	ssr.exe
4196	ssr.exe
448	ssr.exe
1872	ssr.exe
1212	ssr.exe
552	ssr.exe
5468	ssr.exe
5992	ssr.exe
3548	ssr.exe
4832	ssr.exe
2208	ssr.exe
5428	ssr.exe
2960	ssr.exe
2800	ssr.exe
5104	ssr.exe
4272	ssr.exe
3060	ssr.exe
3016	ssr.exe
5124	ssr.exe
5444	ssr.exe
5220	ssr.exe
4816	ssr.exe
2264	ssr.exe
3136	ssr.exe
1104	ssr.exe
2308	ssr.exe
1608	ssr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e70d52b52cebf51e595b7b1265a8cbe7 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ssr.exe\" .."	ssr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\e70d52b52cebf51e595b7b1265a8cbe7 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ssr.exe\" .."	ssr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Process not Found

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2244	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe
2012	ssr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2012	ssr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe
Token: SeIncBasePriorityPrivilege	2012	ssr.exe
Token: 33	2012	ssr.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found

Suspicious use of SendNotifyMessage 41 IoCs

pid	Process
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found
1432	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 2012	1432	Server.exe	87
PID 1432 wrote to memory of 2012	1432	Server.exe	87
PID 1432 wrote to memory of 2012	1432	Server.exe	87
PID 2012 wrote to memory of 2776	2012	ssr.exe	90
PID 2012 wrote to memory of 2776	2012	ssr.exe	90
PID 2012 wrote to memory of 2776	2012	ssr.exe	90
PID 4768 wrote to memory of 2448	4768	cmd.exe	96
PID 4768 wrote to memory of 2448	4768	cmd.exe	96
PID 4768 wrote to memory of 2448	4768	cmd.exe	96
PID 4760 wrote to memory of 972	4760	cmd.exe	97
PID 4760 wrote to memory of 972	4760	cmd.exe	97
PID 4760 wrote to memory of 972	4760	cmd.exe	97
PID 2668 wrote to memory of 3836	2668	cmd.exe	102
PID 2668 wrote to memory of 3836	2668	cmd.exe	102
PID 2668 wrote to memory of 3836	2668	cmd.exe	102
PID 1992 wrote to memory of 5064	1992	cmd.exe	103
PID 1992 wrote to memory of 5064	1992	cmd.exe	103
PID 1992 wrote to memory of 5064	1992	cmd.exe	103
PID 5116 wrote to memory of 2476	5116	cmd.exe	108
PID 5116 wrote to memory of 2476	5116	cmd.exe	108
PID 5116 wrote to memory of 2476	5116	cmd.exe	108
PID 5108 wrote to memory of 5192	5108	cmd.exe	109
PID 5108 wrote to memory of 5192	5108	cmd.exe	109
PID 5108 wrote to memory of 5192	5108	cmd.exe	109
PID 3396 wrote to memory of 4132	3396	cmd.exe	114
PID 3396 wrote to memory of 4132	3396	cmd.exe	114
PID 3396 wrote to memory of 4132	3396	cmd.exe	114
PID 4864 wrote to memory of 5476	4864	cmd.exe	115
PID 4864 wrote to memory of 5476	4864	cmd.exe	115
PID 4864 wrote to memory of 5476	4864	cmd.exe	115
PID 4172 wrote to memory of 6076	4172	cmd.exe	120
PID 4172 wrote to memory of 6076	4172	cmd.exe	120
PID 4172 wrote to memory of 6076	4172	cmd.exe	120
PID 4168 wrote to memory of 4472	4168	cmd.exe	121
PID 4168 wrote to memory of 4472	4168	cmd.exe	121
PID 4168 wrote to memory of 4472	4168	cmd.exe	121
PID 2020 wrote to memory of 5856	2020	cmd.exe	126
PID 2020 wrote to memory of 5856	2020	cmd.exe	126
PID 2020 wrote to memory of 5856	2020	cmd.exe	126
PID 4044 wrote to memory of 5940	4044	cmd.exe	127
PID 4044 wrote to memory of 5940	4044	cmd.exe	127
PID 4044 wrote to memory of 5940	4044	cmd.exe	127
PID 3288 wrote to memory of 4516	3288	cmd.exe	132
PID 3288 wrote to memory of 4516	3288	cmd.exe	132
PID 3288 wrote to memory of 4516	3288	cmd.exe	132
PID 2268 wrote to memory of 4860	2268	cmd.exe	133
PID 2268 wrote to memory of 4860	2268	cmd.exe	133
PID 2268 wrote to memory of 4860	2268	cmd.exe	133
PID 4036 wrote to memory of 6024	4036	cmd.exe	138
PID 4036 wrote to memory of 6024	4036	cmd.exe	138
PID 4036 wrote to memory of 6024	4036	cmd.exe	138
PID 4404 wrote to memory of 5236	4404	cmd.exe	139
PID 4404 wrote to memory of 5236	4404	cmd.exe	139
PID 4404 wrote to memory of 5236	4404	cmd.exe	139
PID 804 wrote to memory of 3944	804	cmd.exe	144
PID 804 wrote to memory of 3944	804	cmd.exe	144
PID 804 wrote to memory of 3944	804	cmd.exe	144
PID 1700 wrote to memory of 3488	1700	cmd.exe	145
PID 1700 wrote to memory of 3488	1700	cmd.exe	145
PID 1700 wrote to memory of 3488	1700	cmd.exe	145
PID 5080 wrote to memory of 548	5080	cmd.exe	150
PID 5080 wrote to memory of 548	5080	cmd.exe	150
PID 5080 wrote to memory of 548	5080	cmd.exe	150
PID 4072 wrote to memory of 1096	4072	cmd.exe	151

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Users\Admin\AppData\Roaming\ssr.exe
  "C:\Users\Admin\AppData\Roaming\ssr.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\ssr.exe" "ssr.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:5192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:804
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2960
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1216
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4712
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:6120
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1564
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:3840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1244
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4584
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4556
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3608
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2904
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4720
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4960
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5976
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2596
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3768
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:6044
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:6076
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3012
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4576
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1004
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2652
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1896
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2788
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4900
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4856
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4948
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:3548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1352
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2488
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4476
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2856
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1396
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:916
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3268
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2640
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2180
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4656
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4104
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5332
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1820
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1208
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4548
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5624
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5976
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - Executes dropped EXE
  PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4316
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5188
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:6116
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5532
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4160
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5084
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3644
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4516
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1896
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5236
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:6028
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5212
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:444
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1096
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5536
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5920
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:384
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2952
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:916
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2224
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1028
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3624
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2660
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4936
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1776
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1984
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4440
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2264
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5432
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4716
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3852
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1032
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4316
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4852
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2324
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2076
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4712
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4460
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4388
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5608
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5784
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1968
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3668
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5852
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2800
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2160
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5032
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3608
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4980
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4424
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4416
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2500
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5016
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5316
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4652
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3228
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5864
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2596
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4612
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2788
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1640
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:820
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4800
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3776
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4068
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3964
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5804
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:6064
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5548
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4656
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5132
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4040
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5260
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4544
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:776
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3972
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3240
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4036
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1544
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5368
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5192
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:6072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5144
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4768
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5176
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5344
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4168
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4268
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:6060
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3132
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2440
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4824
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5848
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3692
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1592
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5764
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5220
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2584
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5600
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3644
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2560
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3684
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5900
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3272
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4004
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5304
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5104
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1808
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1988
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5752
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3652
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:544
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:940
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3728
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4732
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1812
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:6112
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1352
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5128
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2212
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3824
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5384
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2192
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3756
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:6048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3036
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3532
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:412
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5160
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3288
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4272
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1428
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5572
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:6064
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4556
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3976
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3808
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2640
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5348
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1768
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2668
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5856
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5440
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4584
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4712
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5312
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5096
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:6092
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:640
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4960
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5488
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3544
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3368
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4620
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5320
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4796
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5744
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5596
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3800
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5004
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1700
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2564
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2472
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5888
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5776
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4516
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4904
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4676
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4152
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4948
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5060
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4160
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4008
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2500
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:6100
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5584
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1952
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5632
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3128
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5564
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4308
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4640
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4864
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3768
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1440
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3644
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1804
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5756
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5748
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5900
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3036
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1968
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2068
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5220
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2472
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3576
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4356
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:6072
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:6056
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4680
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2044
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4848
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4736
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:188
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5068
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1736
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5536
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2896
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4532
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2696
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4084
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3012
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4524
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4864
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2980
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1432
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1788
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3060
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3932
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2760
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:6052
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4800
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4768
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5828
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1452
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4528
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5808
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4560
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2952
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1772
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4584
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2932
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3728
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2044
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5176
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:6036
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2292
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5720
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5384
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2568
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2596
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3612
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2504
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2020
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5880
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3828
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4924
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1420
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1212
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3056
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5248
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1500
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1456
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5368
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1244
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:6068
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5040
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2544
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1096
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:984
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3708
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3720
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3000
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3996
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4584
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3136
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2480
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3100
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4008
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1276
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4868
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5340
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3824
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5968
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3644
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5692
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:324
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5880
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2704
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2488
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5668
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5284
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5804
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:388
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1396
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5192
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5732
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1244
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3844
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5080
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5824
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1096
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2984
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2920
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3132
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4420
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3000
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1772
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5076
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5376
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5260
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1884
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1668
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4428
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5624
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5940
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5724
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5648
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3732
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4412
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:448
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5068
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5356
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4712
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:6064
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2036
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3116
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4084
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2696
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5560
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2312
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5064
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2612
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2472
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5244
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3356
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4140
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5700
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4344
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5564
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4944
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:972
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1132
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4004
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2772
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1788
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1540
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4428
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:6048
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2072
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4988
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5904
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5756
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1452
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:6004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5364
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1432
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:568
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:536
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4560
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2752
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5876
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4136
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4992
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5320
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3152
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1820
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4728
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:6104
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5440
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5056
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4888
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1468
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2920
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1180
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3000
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4732
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1812
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4052
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4272
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2860
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4692
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3492
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5624
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5556
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2080
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:976
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:556
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:664
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5360
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:920
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:8
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5284
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4104
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2820
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3684
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4092
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2828
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2284
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4420
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5292
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4848
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2312
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1592
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4628
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1536
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4612
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:6120
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5816
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:544
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:6072
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5736
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2988
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3088
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5944
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1244
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3128
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:6036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5660
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:224
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5748
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5760
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1748
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:6048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4516
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5116
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5832
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1012
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:6044
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4616
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4652
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2800
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3872
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:6104
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1048
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5176
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2924
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4900
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:460
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5564
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5600
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3288
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5472
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3108
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1128
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5720
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4028
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2600
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3756
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3660
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2640
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4380
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2636
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:1004
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:5820
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:920
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2808
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4104
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:3272
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:2080
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4476
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:4784
- C:\Users\Admin\AppData\Roaming\ssr.exe
  C:\Users\Admin\AppData\Roaming\ssr.exe ..
  2⤵
  PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\ssr.exe" ..
1⤵
PID:664

Network

DNS

26.ip.gl.ply.gg

ssr.exe

Remote address:

8.8.8.8:53

Request

26.ip.gl.ply.gg

IN A

Response

26.ip.gl.ply.gg

IN A

147.185.221.26
DNS

c.pki.goog

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.187.227
GET

http://c.pki.goog/r/r1.crl

Remote address:

142.250.187.227:80

Request

GET /r/r1.crl HTTP/1.1
Cache-Control: max-age = 3000
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 304 Not Modified

Date: Tue, 01 Apr 2025 06:04:43 GMT
Expires: Tue, 01 Apr 2025 06:54:43 GMT
Age: 1160
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Cache-Control: public, max-age=3000
Vary: Accept-Encoding
DNS

26.ip.gl.ply.gg

ssr.exe

Remote address:

8.8.8.8:53

Request

26.ip.gl.ply.gg

IN A

Response

26.ip.gl.ply.gg

IN A

147.185.221.26
DNS

checkappexec.microsoft.com

Remote address:

8.8.8.8:53

Request

checkappexec.microsoft.com

IN A

Response

checkappexec.microsoft.com

IN CNAME

prod-atm-wds-apprep.trafficmanager.net

prod-atm-wds-apprep.trafficmanager.net

IN CNAME

prod-agic-uw-2.ukwest.cloudapp.azure.com

prod-agic-uw-2.ukwest.cloudapp.azure.com

IN A

51.140.244.186
POST

https://checkappexec.microsoft.com/windows/shell/actions

Remote address:

51.140.244.186:443

Request

POST /windows/shell/actions HTTP/2.0
host: checkappexec.microsoft.com
accept-encoding: gzip, deflate
user-agent: SmartScreen/2814751014982010
authorization: SmartScreenHash eyJhdXRoSWQiOiJhZGZmZjVhZC1lZjllLTQzYTYtYjFhMy0yYWQ0MjY3YWVlZDUiLCJoYXNoIjoiOW13NTFZdWZ0SFU9Iiwia2V5IjoiOGVoNFJwOXdiTUtESXJPWU5QNUc4Zz09In0=
content-length: 1461
content-type: application/json; charset=utf-8
cache-control: no-cache

Response

HTTP/2.0 200

date: Tue, 01 Apr 2025 06:34:17 GMT
content-type: application/json; charset=utf-8
content-length: 183
server: Kestrel
cache-control: max-age=0, private
request-context: appId=cid-v1:365e21c6-df19-4b1c-a612-b572489ace31

147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.1kB
398 B
9
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.3kB
358 B
9
8
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
142.250.187.227:80

http://c.pki.goog/r/r1.crl

http

476 B
395 B
6
4

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

304
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.2kB
294 B
9
7
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.3kB
358 B
9
8
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.3kB
358 B
9
8
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.8kB
358 B
10
8
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
346 B
11
8
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
358 B
9
8
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
11
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.3kB
358 B
9
8
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.3kB
358 B
9
8
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.3kB
358 B
9
8
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

1.4kB
398 B
10
9
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

3.5kB
46.1kB
52
86
147.185.221.26:55609

26.ip.gl.ply.gg

ssr.exe

8.4MB
49.0kB
6274
1176
51.140.244.186:443

https://checkappexec.microsoft.com/windows/shell/actions

tls, http2

3.2kB
9.5kB
22
16

HTTP Request

POST https://checkappexec.microsoft.com/windows/shell/actions

HTTP Response

200

8.8.8.8:53

26.ip.gl.ply.gg

dns

ssr.exe

61 B
77 B
1
1

DNS Request

26.ip.gl.ply.gg

DNS Response

147.185.221.26
8.8.8.8:53

c.pki.goog

dns

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.187.227
8.8.8.8:53

26.ip.gl.ply.gg

dns

ssr.exe

61 B
77 B
1
1

DNS Request

26.ip.gl.ply.gg

DNS Response

147.185.221.26
8.8.8.8:53

checkappexec.microsoft.com

dns

72 B
191 B
1
1

DNS Request

checkappexec.microsoft.com

DNS Response

51.140.244.186

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\ssr.exe.log

Filesize
319B

MD5
cdab7719c71b2844a3e7ff9e41894b8a

SHA1
8e6e0e55695e468eb3c237f21340c9d30cab922c

SHA256
e84a57ed5465aaca393476f6271a2413dddad154cbae40827c4639bfc0b3e3eb

SHA512
ec92e8fc3ce02336eea401f9db823ac0a2ad87bb41130f493e72f3c5ca100a461d6296a710afcc93e1fe1fc8630c5e0029e17f58583520077a3c80ad794d9dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp21E1.tmp.exe

Filesize
29KB

MD5
685c1eade930e2b40f02f98328fca44d

SHA1
e42f950e1dbed069d7c337c9ff09f55fb90afdf6

SHA256
ec85087f6830b71f106871c59dc8ffa0de91cc3d8ce8c269b7264359d9b4e80b

SHA512
aceb433536f6f8f684219c2d62b64604175d1eb8fb0c3d0aba819c81b6793f2f96b2c8b13d7311f7513234d8d9e62dbb61750156d9ee8d8fdfdb7b5ec69262fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8952.tmp.cmd

Filesize
33B

MD5
fbd69abeac8dcb3c03f69a0731ee6291

SHA1
2c475b94765e4f2dcb5c84143a4195fee28c99ed

SHA256
2398de257f8774e03b68fbd5d3b62651930c6fc6d5fd1df43ae4cd9f6ec0e6e3

SHA512
69a64bf4dbc7cb8d63560bbbc3dc56c91802864dc0f0dfe5bee1e953622d4f44e3f03787b70ab0da6eb8bea0dc969b37d856140a4fca8994ed60fecc2de11f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAAF.tmp.exe

Filesize
28KB

MD5
6c2210ba180f0e1b9d831c3c6c14c8b4

SHA1
00bebdf704f4cabf254583c6ad87c6e72872b61a

SHA256
501c36ac282029ccf7950a4957d4c10ea72fe18f0ad8d6daeabfe628fa4070a7

SHA512
26a63ad05199cf45acd7519fbc63945097b4c4a89bb2cdfa4f87ba004e1ce106220b0b99419e656de26d164265b3868a9ce541c71b05d4e4db1a9a1343130e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC2C7.tmp.exe

Filesize
29KB

MD5
a7a746707ca4e136585570eef6daf2d4

SHA1
50705953b5184d8c0fea9c10619d765648976b78

SHA256
d3cf09c638fb94b81343c94dd1a9d7ee385a5240a1f3d78fc70dc591b417999d

SHA512
dc97a3cdeb599c976bac9ef4e901c97e4bf02035b6ea60c0e8d9a288b220ca66545a4810842623574293ff09bd4c60fdfaa878fd4e7aa2dbd493d4f001fb0ce5

Download Submit
C:\Users\Admin\AppData\Roaming\ssr.exe

Filesize
37KB

MD5
69a63826396394dda992a5031f523b11

SHA1
6ca89b77eaa65d9c970d0071dc2677f852517fc5

SHA256
be045197a762a6d773cd7ddbe97b3a2e5ddac683c271c080fe75cdf03d87b98a

SHA512
aaba1ee3c874a2bd0ca8da8dd5ffa44f57209ac6ed97b44f7ca689b2dbcc45af62256a12edb360e18ea0165c386dff1f7dabf7ffd43b6d3fd6ed2d4eb67c4f1c

Download Submit
memory/1372-103-0x0000000000790000-0x000000000079E000-memory.dmp

Filesize
56KB

Download
memory/1432-124-0x0000022B74B00000-0x0000022B74B01000-memory.dmp

Filesize
4KB

Download
memory/1432-129-0x0000022B74B00000-0x0000022B74B01000-memory.dmp

Filesize
4KB

Download
memory/1432-123-0x0000022B74B00000-0x0000022B74B01000-memory.dmp

Filesize
4KB

Download
memory/1432-118-0x0000022B74B00000-0x0000022B74B01000-memory.dmp

Filesize
4KB

Download
memory/1432-125-0x0000022B74B00000-0x0000022B74B01000-memory.dmp

Filesize
4KB

Download
memory/1432-127-0x0000022B74B00000-0x0000022B74B01000-memory.dmp

Filesize
4KB

Download
memory/1432-128-0x0000022B74B00000-0x0000022B74B01000-memory.dmp

Filesize
4KB

Download
memory/1432-0-0x0000000074C92000-0x0000000074C93000-memory.dmp

Filesize
4KB

Download
memory/1432-126-0x0000022B74B00000-0x0000022B74B01000-memory.dmp

Filesize
4KB

Download
memory/1432-5-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/1432-2-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/1432-1-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/1432-119-0x0000022B74B00000-0x0000022B74B01000-memory.dmp

Filesize
4KB

Download
memory/1432-117-0x0000022B74B00000-0x0000022B74B01000-memory.dmp

Filesize
4KB

Download
memory/2012-14-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/2012-7-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/2012-6-0x0000000074C90000-0x0000000075241000-memory.dmp

Filesize
5.7MB

Download
memory/3036-116-0x0000000000610000-0x000000000061E000-memory.dmp

Filesize
56KB

Download
memory/5512-90-0x0000000005860000-0x00000000058B6000-memory.dmp

Filesize
344KB

Download
memory/5512-89-0x0000000005730000-0x000000000573A000-memory.dmp

Filesize
40KB

Download
memory/5512-88-0x00000000057C0000-0x0000000005852000-memory.dmp

Filesize
584KB

Download
memory/5512-87-0x0000000005CD0000-0x0000000006276000-memory.dmp

Filesize
5.6MB

Download
memory/5512-86-0x0000000005680000-0x000000000571C000-memory.dmp

Filesize
624KB

Download
memory/5512-85-0x0000000000E10000-0x0000000000E1E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.