hawkeye | fea5e0b53d49c7447019fe720bcd7019be94cf918c687021634ca12212d6f5f0

Analysis

max time kernel
15s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
07/04/2025, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a0794597b8669e46158f61f765d4be73.exe
Size

1.1MB
MD5

a0794597b8669e46158f61f765d4be73
SHA1

3d170cdba22576b75e672317ef46711c44a2bfd6
SHA256

fea5e0b53d49c7447019fe720bcd7019be94cf918c687021634ca12212d6f5f0
SHA512

a11c72ce4913d532fecdd47da776c13c301d4201a69ceed1ff280f982f21224fe32a21e6106ba4db04e76698df2abc48fb3181c30e1f71f2701953f8f194ce98
SSDEEP

24576:9JTV+zRlx0lQDe/QfgO/sqeAI8giImjRAPoYD6Q:rTgRtfEqeAA5m2gz

Score

10^/10

hawkeye credential_access discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
Vajalik312

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Hawkeye family
hawkeye

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	JaffaCakes118_a0794597b8669e46158f61f765d4be73.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	audiodgi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	audiodgi.exe

Deletes itself 1 IoCs

pid	Process
760	svchost.exe

Executes dropped EXE 54 IoCs

pid	Process
760	svchost.exe
2900	svchost.exe
4140	audiodgi.exe
780	audiodgi.exe
4848	audiodgi.exe
1252	wmpmetwk.exe
3096	wmpmetwk.exe
4072	wmpmetwk.exe
3992	audiodgi.exe
400	audiodgi.exe
4344	audiodgi.exe
3316	audiodgi.exe
1948	audiodgi.exe
3108	audiodgi.exe
4364	audiodgi.exe
1564	audiodgi.exe
820	audiodgi.exe
5124	audiodgi.exe
5244	audiodgi.exe
5328	audiodgi.exe
5416	audiodgi.exe
5500	audiodgi.exe
5584	audiodgi.exe
5664	audiodgi.exe
5744	audiodgi.exe
5832	audiodgi.exe
5952	audiodgi.exe
6044	audiodgi.exe
5252	audiodgi.exe
5912	audiodgi.exe
6156	audiodgi.exe
6220	audiodgi.exe
6276	audiodgi.exe
6456	audiodgi.exe
6512	audiodgi.exe
6724	audiodgi.exe
6912	audiodgi.exe
6920	audiodgi.exe
6928	audiodgi.exe
6652	audiodgi.exe
7176	audiodgi.exe
7304	audiodgi.exe
7536	audiodgi.exe
7652	audiodgi.exe
7764	audiodgi.exe
7832	audiodgi.exe
7984	audiodgi.exe
7992	audiodgi.exe
8104	audiodgi.exe
8112	audiodgi.exe
8196	audiodgi.exe
8204	audiodgi.exe
8472	audiodgi.exe
8608	audiodgi.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 49 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 760 set thread context of 2900	760	svchost.exe	94
PID 3096 set thread context of 4072	3096	wmpmetwk.exe	110

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
10096	11720	WerFault.exe	809
11816	9716	WerFault.exe	811
14152	11400	WerFault.exe	808
3868	11780	WerFault.exe	1123
9760	10272	WerFault.exe	1353
12592	14204	WerFault.exe	1366
2224	4480	Process not Found	2203

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpmetwk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpmetwk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a0794597b8669e46158f61f765d4be73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpmetwk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	javaw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
760	svchost.exe
4140	audiodgi.exe
780	audiodgi.exe
4848	audiodgi.exe
4848	audiodgi.exe
1252	wmpmetwk.exe
1252	wmpmetwk.exe
3096	wmpmetwk.exe
3096	wmpmetwk.exe
760	svchost.exe
760	svchost.exe
3992	audiodgi.exe
3992	audiodgi.exe
4140	audiodgi.exe
4140	audiodgi.exe
4848	audiodgi.exe
4848	audiodgi.exe
400	audiodgi.exe
400	audiodgi.exe
1252	wmpmetwk.exe
1252	wmpmetwk.exe
780	audiodgi.exe
780	audiodgi.exe
4344	audiodgi.exe
4344	audiodgi.exe
3096	wmpmetwk.exe
3096	wmpmetwk.exe
760	svchost.exe
760	svchost.exe
3316	audiodgi.exe
3316	audiodgi.exe
3992	audiodgi.exe
3992	audiodgi.exe
1948	audiodgi.exe
1948	audiodgi.exe
3108	audiodgi.exe
3108	audiodgi.exe
4140	audiodgi.exe
4140	audiodgi.exe
4848	audiodgi.exe
4848	audiodgi.exe
400	audiodgi.exe
400	audiodgi.exe
1252	wmpmetwk.exe
1252	wmpmetwk.exe
4364	audiodgi.exe
4364	audiodgi.exe
780	audiodgi.exe
780	audiodgi.exe
4344	audiodgi.exe
4344	audiodgi.exe
3096	wmpmetwk.exe
3096	wmpmetwk.exe
1564	audiodgi.exe
1564	audiodgi.exe
760	svchost.exe
760	svchost.exe
3316	audiodgi.exe
3316	audiodgi.exe
3992	audiodgi.exe
3992	audiodgi.exe
820	audiodgi.exe
820	audiodgi.exe
1948	audiodgi.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	JaffaCakes118_a0794597b8669e46158f61f765d4be73.exe
Token: SeDebugPrivilege	760	svchost.exe
Token: SeDebugPrivilege	4140	audiodgi.exe
Token: SeDebugPrivilege	780	audiodgi.exe
Token: SeDebugPrivilege	4848	audiodgi.exe
Token: SeDebugPrivilege	1252	wmpmetwk.exe
Token: SeDebugPrivilege	3096	wmpmetwk.exe
Token: SeDebugPrivilege	3992	audiodgi.exe
Token: SeDebugPrivilege	2900	svchost.exe
Token: SeDebugPrivilege	400	audiodgi.exe
Token: SeDebugPrivilege	4344	audiodgi.exe
Token: SeDebugPrivilege	3316	audiodgi.exe
Token: SeDebugPrivilege	1948	audiodgi.exe
Token: SeDebugPrivilege	3108	audiodgi.exe
Token: SeDebugPrivilege	4364	audiodgi.exe
Token: SeDebugPrivilege	1564	audiodgi.exe
Token: SeDebugPrivilege	820	audiodgi.exe
Token: SeDebugPrivilege	5124	audiodgi.exe
Token: SeDebugPrivilege	5244	audiodgi.exe
Token: SeDebugPrivilege	5328	audiodgi.exe
Token: SeDebugPrivilege	5416	audiodgi.exe
Token: SeDebugPrivilege	5500	audiodgi.exe
Token: SeDebugPrivilege	5584	audiodgi.exe
Token: SeDebugPrivilege	5664	audiodgi.exe
Token: SeDebugPrivilege	5744	audiodgi.exe
Token: SeDebugPrivilege	5832	audiodgi.exe
Token: SeDebugPrivilege	5952	audiodgi.exe
Token: SeDebugPrivilege	6044	audiodgi.exe
Token: SeDebugPrivilege	5252	audiodgi.exe
Token: SeDebugPrivilege	5912	audiodgi.exe
Token: SeDebugPrivilege	6156	audiodgi.exe
Token: SeDebugPrivilege	6220	audiodgi.exe
Token: SeDebugPrivilege	6276	audiodgi.exe
Token: SeDebugPrivilege	6456	audiodgi.exe
Token: SeDebugPrivilege	6512	audiodgi.exe
Token: SeDebugPrivilege	6724	audiodgi.exe
Token: SeDebugPrivilege	6912	audiodgi.exe
Token: SeDebugPrivilege	6920	audiodgi.exe
Token: SeDebugPrivilege	6928	audiodgi.exe
Token: SeDebugPrivilege	6652	audiodgi.exe
Token: SeDebugPrivilege	7176	audiodgi.exe
Token: SeDebugPrivilege	7304	audiodgi.exe
Token: SeDebugPrivilege	7536	audiodgi.exe
Token: SeDebugPrivilege	7652	audiodgi.exe
Token: SeDebugPrivilege	7764	audiodgi.exe
Token: SeDebugPrivilege	7832	audiodgi.exe
Token: SeDebugPrivilege	8104	audiodgi.exe
Token: SeDebugPrivilege	7984	audiodgi.exe
Token: SeDebugPrivilege	7992	audiodgi.exe
Token: SeDebugPrivilege	8112	audiodgi.exe
Token: SeDebugPrivilege	8196	audiodgi.exe
Token: SeDebugPrivilege	8204	audiodgi.exe
Token: SeDebugPrivilege	8472	audiodgi.exe
Token: SeDebugPrivilege	8608	audiodgi.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2900	svchost.exe
2384	javaw.exe
2384	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 760	1948	JaffaCakes118_a0794597b8669e46158f61f765d4be73.exe	91
PID 1948 wrote to memory of 760	1948	JaffaCakes118_a0794597b8669e46158f61f765d4be73.exe	91
PID 1948 wrote to memory of 760	1948	JaffaCakes118_a0794597b8669e46158f61f765d4be73.exe	91
PID 760 wrote to memory of 2900	760	svchost.exe	94
PID 760 wrote to memory of 2900	760	svchost.exe	94
PID 760 wrote to memory of 2900	760	svchost.exe	94
PID 760 wrote to memory of 2900	760	svchost.exe	94
PID 760 wrote to memory of 2900	760	svchost.exe	94
PID 760 wrote to memory of 2900	760	svchost.exe	94
PID 760 wrote to memory of 2900	760	svchost.exe	94
PID 760 wrote to memory of 2900	760	svchost.exe	94
PID 760 wrote to memory of 4140	760	svchost.exe	95
PID 760 wrote to memory of 4140	760	svchost.exe	95
PID 760 wrote to memory of 4140	760	svchost.exe	95
PID 1904 wrote to memory of 780	1904	cmd.exe	99
PID 1904 wrote to memory of 780	1904	cmd.exe	99
PID 1904 wrote to memory of 780	1904	cmd.exe	99
PID 1268 wrote to memory of 4848	1268	cmd.exe	103
PID 1268 wrote to memory of 4848	1268	cmd.exe	103
PID 1268 wrote to memory of 4848	1268	cmd.exe	103
PID 4140 wrote to memory of 1252	4140	audiodgi.exe	104
PID 4140 wrote to memory of 1252	4140	audiodgi.exe	104
PID 4140 wrote to memory of 1252	4140	audiodgi.exe	104
PID 1252 wrote to memory of 1228	1252	wmpmetwk.exe	108
PID 1252 wrote to memory of 1228	1252	wmpmetwk.exe	108
PID 1252 wrote to memory of 1228	1252	wmpmetwk.exe	108
PID 2900 wrote to memory of 3328	2900	svchost.exe	107
PID 2900 wrote to memory of 3328	2900	svchost.exe	107
PID 780 wrote to memory of 3096	780	audiodgi.exe	109
PID 780 wrote to memory of 3096	780	audiodgi.exe	109
PID 780 wrote to memory of 3096	780	audiodgi.exe	109
PID 3096 wrote to memory of 4072	3096	wmpmetwk.exe	110
PID 3096 wrote to memory of 4072	3096	wmpmetwk.exe	110
PID 3096 wrote to memory of 4072	3096	wmpmetwk.exe	110
PID 3096 wrote to memory of 4072	3096	wmpmetwk.exe	110
PID 3096 wrote to memory of 4072	3096	wmpmetwk.exe	110
PID 3096 wrote to memory of 4072	3096	wmpmetwk.exe	110
PID 3096 wrote to memory of 4072	3096	wmpmetwk.exe	110
PID 3096 wrote to memory of 4072	3096	wmpmetwk.exe	110
PID 4992 wrote to memory of 3992	4992	cmd.exe	111
PID 4992 wrote to memory of 3992	4992	cmd.exe	111
PID 4992 wrote to memory of 3992	4992	cmd.exe	111
PID 3328 wrote to memory of 2384	3328	javaw.exe	114
PID 3328 wrote to memory of 2384	3328	javaw.exe	114
PID 4936 wrote to memory of 400	4936	cmd.exe	115
PID 4936 wrote to memory of 400	4936	cmd.exe	115
PID 4936 wrote to memory of 400	4936	cmd.exe	115
PID 4948 wrote to memory of 4344	4948	cmd.exe	118
PID 4948 wrote to memory of 4344	4948	cmd.exe	118
PID 4948 wrote to memory of 4344	4948	cmd.exe	118
PID 1988 wrote to memory of 3316	1988	cmd.exe	121
PID 1988 wrote to memory of 3316	1988	cmd.exe	121
PID 1988 wrote to memory of 3316	1988	cmd.exe	121
PID 2944 wrote to memory of 1948	2944	cmd.exe	124
PID 2944 wrote to memory of 1948	2944	cmd.exe	124
PID 2944 wrote to memory of 1948	2944	cmd.exe	124
PID 2420 wrote to memory of 3108	2420	cmd.exe	127
PID 2420 wrote to memory of 3108	2420	cmd.exe	127
PID 2420 wrote to memory of 3108	2420	cmd.exe	127
PID 4280 wrote to memory of 4364	4280	cmd.exe	130
PID 4280 wrote to memory of 4364	4280	cmd.exe	130
PID 4280 wrote to memory of 4364	4280	cmd.exe	130
PID 2384 wrote to memory of 3676	2384	javaw.exe	132
PID 2384 wrote to memory of 3676	2384	javaw.exe	132

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3676	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a0794597b8669e46158f61f765d4be73.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a0794597b8669e46158f61f765d4be73.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\svchost.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\RSBot-261.jar"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3328
    - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
        
        javaw -Xmx768m -Dsun.java2d.d3d=false -XX:+UseConcMarkSweepGC -XX:+UseParNewGC -XX:+AggressiveOpts -XX:+UseBiasedLocking -classpath "/C:/Users/Admin/AppData/Local/Temp/RSBot-261.jar" org.rsbot.Application
        5⤵
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Windows\SYSTEM32\attrib.exe
        
        attrib +H "C:\Users\Admin\Documents\RSBot\Scripts\Network"
        6⤵
        Views/modifies file attributes
        
        PID:3676
- - C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
      "C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1252
    - - C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
        
        C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
        5⤵
        
        PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
    "C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
      C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 936
    3⤵
    PID:12740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:3200
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 944
    3⤵
    PID:12892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:2960
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:1696
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5124
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 872
    3⤵
    PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5168
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5280
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5364
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5416
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 928
    3⤵
    PID:13260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5452
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5536
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5620
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5664
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 928
    3⤵
    PID:13268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5700
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5780
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5868
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5900
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5984
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6028
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6108
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:4420
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5712
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6164
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6252
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6320
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6372
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6396
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6524
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6616
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:7176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6640
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6776
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:7536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6836
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:7304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6984
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:7832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7060
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:7984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7100
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:7992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7108
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:7764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7128
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:8104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7188
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:8112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7248
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:8608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7272
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:7652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7372
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:8472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7444
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:8196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7496
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:8204
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 928
    3⤵
    PID:12352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7608
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7632
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9152
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 920
    3⤵
    PID:12732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7720
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7772
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7856
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7908
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9780
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 924
    3⤵
    PID:12232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8040
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8048
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:10244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8124
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9824
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 944
    3⤵
    PID:12656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7664
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:8224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7828
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:10028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7936
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6684
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:8000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8292
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8352
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:10460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8412
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8480
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:10448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8488
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:10440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8616
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:10424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8636
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8660
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:10228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8748
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8864
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8960
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:13028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8984
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9024
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9128
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8684
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:8948
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 816
    3⤵
    PID:10128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9064
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9580
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:10340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9612
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9620
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9628
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12976
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 816
    3⤵
    PID:10832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9652
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12556
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 936
    3⤵
    PID:10992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9668
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9712
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9752
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9828
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12840
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 812
    3⤵
    PID:11864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10180
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10264
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10672
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:13300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11412
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:10152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11972
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12512
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:11532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13240
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:11480
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 916
    3⤵
    PID:12820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11312
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:11940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9568
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:11732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12132
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:10396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13064
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9880
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:10856
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 808
    3⤵
    PID:9688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12004
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:10008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11452
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9876
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9572
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6796
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12300
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12540
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:11208
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 912
    3⤵
    PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10848
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:1340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11420

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:11180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12604
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:11580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10432
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12484
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9572
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 9716 -s 192
    3⤵
    - Program crash
    PID:11816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12236
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10916
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:11720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 11720 -s 192
    3⤵
    - Program crash
    PID:10096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11712
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:14100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11792
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:13972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13236
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:11400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 11400 -s 216
    3⤵
    - Program crash
    PID:14152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9792
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:14172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11412
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:14144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:2172
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:14048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5596
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:14180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5660
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:14164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:1244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12192
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:14080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13712
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13980
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:10948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14156
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:13820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14192
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13324
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12760
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11080
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:7648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:1344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6324
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:8996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:1968
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:14188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 900 -p 13972 -ip 13972
1⤵
PID:11864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12916
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:11604
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 844
    3⤵
    PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13492
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11608
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:10076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12896
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8080
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:8624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12364
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12644
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 840
    3⤵
    PID:9880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9156
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:5440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8716
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:10864
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 812
    3⤵
    PID:8244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13572
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:11164
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 772
    3⤵
    PID:13964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6904
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:1236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13296
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:13612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10836
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:13952
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 772
    3⤵
    PID:10528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14000
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:14132
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 832
    3⤵
    PID:14312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11420
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:10920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7736
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:11780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 11780 -s 192
    3⤵
    - Program crash
    PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10140
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:13668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10664
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:13184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9152
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:11788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12856
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:10876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13772
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:14152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10100
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9196
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:13636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13748
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:11404
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 776
    3⤵
    PID:11828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:388
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13556
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:11476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13548
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14316
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:11748
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 768
    3⤵
    PID:13528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:2820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13296
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:4328
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:10272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 10272 -s 192
    3⤵
    - Program crash
    PID:9760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12656
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:14204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 14204 -s 216
    3⤵
    - Program crash
    PID:12592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:3648
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:1656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:2464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5324
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:6536
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 816
    3⤵
    PID:14136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 14204 -ip 14204
1⤵
PID:13736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7632
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:10528
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 768
    3⤵
    PID:7148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14088
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:11756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14192
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:8120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11220
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:1692
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10132
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:8604
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 756
    3⤵
    PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7876
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:13432
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 776
    3⤵
    PID:12688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:4940
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:7284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10172
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:7236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:632
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:14136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8556
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:13800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6208
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:6848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:4856
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:10724
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 812
    3⤵
    PID:11428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10712
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:7480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14300
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:6608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8716
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:6564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11480
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:7216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10116
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8448
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6676
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:9800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:4964
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:6536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:984
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:7204
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 816
    3⤵
    PID:9492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5256
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:4208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9060
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:9312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5964
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:12188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7460
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:8236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10996
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:13440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12976
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:6564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13252
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:8956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:8400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:7520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12996
- C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
  2⤵
  PID:10056
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 772
    3⤵
    PID:11428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:6428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:14184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:11564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:13588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:10748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:2524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:12488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
1⤵
PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
5ab496c9d51badaf8f76dd7a9664deb5

SHA1
60525a1d84e4821d8206b07850eb182a1c3aaae8

SHA256
0cb74c24d5e57e929e14c308dae57bfb8f80828ef7639c4a46f6f8057a865c42

SHA512
9c3758c0788b6a5df67d2dac935ea32067222b932480009463e7873edc922e8659f07967c9136cdb1d83cf4194f82031184ed7bbd4a5f3aab422c0c48e8dcb14

Download Submit
C:\Users\Admin\AppData\Local\Temp\RSBot-261.jar

Filesize
629KB

MD5
b0c5e67699e515d8bd606b0f4e6c917b

SHA1
277bd5677f77711bf5d9f03007a1f8b4e0e99308

SHA256
8cacdb755c0925e87c8d93977b69b97446609a773152418951e843670b8a0749

SHA512
ee506fc6b00b55fe6a35fc50ae3ea0b6c390d8ec7578d7c652f98e42de5d1a6da32cbb17b324be53c4140cdb5ad885ed8c8441cd0a59ea7317e7c75ade37c6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
84B

MD5
5485724d8dce77ce4e76a7cbc88963c6

SHA1
d91fb78e4aa65e4d49d9b9de27bc88055a33f460

SHA256
fad86f9e5a6a5b7832876dc79bdb90cf546ce557a7948c997bb5f3dbe1e699d9

SHA512
28238da0d2fc4295992a8086e7f1c7af0bb964016b828bbc08146ae5571ffb12940652a96482c0433e42091010b62b62f45b005d7a7c1fdd445a5e716f7c9dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
53B

MD5
064edf753665cf369ff809bfac90d6b6

SHA1
00b3f2d4fa24317749bbdfad0a8645bf2bc46fdf

SHA256
d0a0184b3f20976bd70ae26493dd6450cd2c476b96898ac995f9445531a25bcd

SHA512
c6e24da12a1e1aa1ca5c01179adb816bf0c653798f3a4c160cd75aef368f566d4d9479b8b9f3506d6e33a0fc26a8c72c72d49d42fa75622f0308b62262d282cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe

Filesize
10KB

MD5
83ce94edcf6b43e60e467a9f22705d3e

SHA1
0a3738cbee68a53e8d5e93f83d5b633f8ae95232

SHA256
558224443ed55cc3efc377ff06ba86ef2d4c910da4d3d47c590377c487c1d63f

SHA512
51675f7143d6666452dc231ffc03e0dab642f2c2c8a3d61dc567beec825ea52d45513243ea81d3873d44a66b8d7a1340f0b6e5ecac741c29d01813de8631d383

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
1.1MB

MD5
a0794597b8669e46158f61f765d4be73

SHA1
3d170cdba22576b75e672317ef46711c44a2bfd6

SHA256
fea5e0b53d49c7447019fe720bcd7019be94cf918c687021634ca12212d6f5f0

SHA512
a11c72ce4913d532fecdd47da776c13c301d4201a69ceed1ff280f982f21224fe32a21e6106ba4db04e76698df2abc48fb3181c30e1f71f2701953f8f194ce98

Download Submit
memory/760-17-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/760-174-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/760-167-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/1948-18-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/1948-0-0x0000000074D82000-0x0000000074D83000-memory.dmp

Filesize
4KB

Download
memory/1948-1-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/1948-2-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/2384-133-0x000002ECED990000-0x000002ECED991000-memory.dmp

Filesize
4KB

Download
memory/2384-112-0x000002ECED990000-0x000002ECED991000-memory.dmp

Filesize
4KB

Download
memory/2384-71-0x000002ECED990000-0x000002ECED991000-memory.dmp

Filesize
4KB

Download
memory/2384-118-0x000002ECED990000-0x000002ECED991000-memory.dmp

Filesize
4KB

Download
memory/2384-105-0x000002ECED990000-0x000002ECED991000-memory.dmp

Filesize
4KB

Download
memory/2384-97-0x000002ECED990000-0x000002ECED991000-memory.dmp

Filesize
4KB

Download
memory/2384-87-0x000002ECED990000-0x000002ECED991000-memory.dmp

Filesize
4KB

Download
memory/2384-81-0x000002ECED990000-0x000002ECED991000-memory.dmp

Filesize
4KB

Download
memory/2384-120-0x000002ECED990000-0x000002ECED991000-memory.dmp

Filesize
4KB

Download
memory/2384-139-0x000002ECED990000-0x000002ECED991000-memory.dmp

Filesize
4KB

Download
memory/2384-128-0x000002ECED990000-0x000002ECED991000-memory.dmp

Filesize
4KB

Download
memory/2900-24-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/2900-25-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/2900-22-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2900-187-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/3328-52-0x000002131AC70000-0x000002131AC71000-memory.dmp

Filesize
4KB

Download