azorult | 12fce52d084a8c7efa638c88fa2307bca7c038a49fe566ebb05533cacf17efbd

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	am209.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	Google%20Chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	._cache_4363463463464363463463463.exe

Executes dropped EXE 23 IoCs

pid	Process
4828	._cache_4363463463464363463463463.exe
5684	Synaptics.exe
4104	Synaptics.exe
1404	._cache_Synaptics.exe
1908	._cache_Synaptics.exe
3832	ZZZ.exe
4440	hack.exe
3608	Server.exe
3868	4434.exe
5536	processclass.exe
4536	aqbjn3fl.exe
4008	tdrpl.exe
1204	stub.exe
412	cHSzTDjVl.exe
5248	MYNEWRDX.exe
3208	sysldpsvc.exe
5404	am209.exe
2008	aqbjn3fl.exe
1224	sysldpsvc.exe
1572	defnur.exe
5564	Google%20Chrome.exe
5164	kmvcsaed.exe
828	RuntimeBroker.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x00070000000242cd-2357.dat	themida
behavioral1/memory/11024-3863-0x00007FF7043E0000-0x00007FF705082000-memory.dmp	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	4363463463464363463463463.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysldpsvc.exe"	tdrpl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\Server.exe\" .."	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\Server.exe\" .."	Server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
24	raw.githubusercontent.com
28	raw.githubusercontent.com
114	raw.githubusercontent.com
291	raw.githubusercontent.com
23	raw.githubusercontent.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
311	api.ipify.org
350	ip-api.com
421	ip-api.com
309	api.ipify.org

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\._cache_Synaptics.exe	Synaptics.exe
File opened for modification	C:\Windows\SysWOW64\._cache_Synaptics.exe	Synaptics.exe
File created	C:\Windows\SysWOW64\Files\02.08.2022.exe	._cache_Synaptics.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4440	hack.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3868 set thread context of 6108	3868	4434.exe	126
PID 4536 set thread context of 2008	4536	aqbjn3fl.exe	164

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5372-1073-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x00070000000242c5-1065.dat	upx
behavioral1/memory/5372-4013-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x00080000000242df-5146.dat	upx
behavioral1/files/0x00090000000242e2-5026.dat	upx
behavioral1/memory/7188-5249-0x0000000000400000-0x00000000004A4000-memory.dmp	upx
behavioral1/memory/5372-5274-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/636-5278-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/636-5175-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/7188-5288-0x0000000000400000-0x00000000004A4000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\sysldpsvc.exe	tdrpl.exe
File opened for modification	C:\Windows\sysldpsvc.exe	tdrpl.exe
File created	C:\Windows\Tasks\defnur.job	am209.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x0007000000024254-466.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
2792	3832	WerFault.exe	103
1092	1204	WerFault.exe	122
5828	5192	WerFault.exe	709
10376	8416	WerFault.exe	1158
11684	4632	WerFault.exe	1161

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4434.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqbjn3fl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MYNEWRDX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kmvcsaed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZZZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cHSzTDjVl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysldpsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqbjn3fl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	defnur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tdrpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	am209.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
396	PING.EXE
11200	PING.EXE
9952	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

defense_evasion spyware trojan

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
5656	taskkill.exe
7780	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	._cache_4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	._cache_4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	._cache_4363463463464363463463463.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
396	PING.EXE
11200	PING.EXE
9952	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
712	schtasks.exe
4940	schtasks.exe
8328	schtasks.exe
6888	schtasks.exe
2324	schtasks.exe
12068	schtasks.exe
3416	schtasks.exe
5456	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4080	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4944	mspaint.exe
4944	mspaint.exe
5188	powershell.exe
5188	powershell.exe
5188	powershell.exe
2724	chrome.exe
2724	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3608	Server.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4440	hack.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4828	._cache_4363463463464363463463463.exe
Token: SeDebugPrivilege	1404	._cache_Synaptics.exe
Token: SeDebugPrivilege	1908	._cache_Synaptics.exe
Token: SeDebugPrivilege	5188	powershell.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeDebugPrivilege	828	RuntimeBroker.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4080	EXCEL.EXE
4080	EXCEL.EXE
4080	EXCEL.EXE
4080	EXCEL.EXE
4944	mspaint.exe
4944	mspaint.exe
4944	mspaint.exe
4944	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 312 wrote to memory of 4828	312	4363463463464363463463463.exe	89
PID 312 wrote to memory of 4828	312	4363463463464363463463463.exe	89
PID 312 wrote to memory of 4828	312	4363463463464363463463463.exe	89
PID 312 wrote to memory of 5684	312	4363463463464363463463463.exe	93
PID 312 wrote to memory of 5684	312	4363463463464363463463463.exe	93
PID 312 wrote to memory of 5684	312	4363463463464363463463463.exe	93
PID 3804 wrote to memory of 4104	3804	cmd.exe	94
PID 3804 wrote to memory of 4104	3804	cmd.exe	94
PID 3804 wrote to memory of 4104	3804	cmd.exe	94
PID 5684 wrote to memory of 1404	5684	Synaptics.exe	95
PID 5684 wrote to memory of 1404	5684	Synaptics.exe	95
PID 5684 wrote to memory of 1404	5684	Synaptics.exe	95
PID 4104 wrote to memory of 1908	4104	Synaptics.exe	97
PID 4104 wrote to memory of 1908	4104	Synaptics.exe	97
PID 4104 wrote to memory of 1908	4104	Synaptics.exe	97
PID 1404 wrote to memory of 3832	1404	._cache_Synaptics.exe	579
PID 1404 wrote to memory of 3832	1404	._cache_Synaptics.exe	579
PID 1404 wrote to memory of 3832	1404	._cache_Synaptics.exe	579
PID 1404 wrote to memory of 4440	1404	._cache_Synaptics.exe	148
PID 1404 wrote to memory of 4440	1404	._cache_Synaptics.exe	148
PID 4440 wrote to memory of 4944	4440	hack.exe	331
PID 4440 wrote to memory of 4944	4440	hack.exe	331
PID 4828 wrote to memory of 5188	4828	._cache_4363463463464363463463463.exe	110
PID 4828 wrote to memory of 5188	4828	._cache_4363463463464363463463463.exe	110
PID 4828 wrote to memory of 5188	4828	._cache_4363463463464363463463463.exe	110
PID 1404 wrote to memory of 3608	1404	._cache_Synaptics.exe	114
PID 1404 wrote to memory of 3608	1404	._cache_Synaptics.exe	114
PID 1404 wrote to memory of 3608	1404	._cache_Synaptics.exe	114
PID 4828 wrote to memory of 3868	4828	._cache_4363463463464363463463463.exe	171
PID 4828 wrote to memory of 3868	4828	._cache_4363463463464363463463463.exe	171
PID 4828 wrote to memory of 3868	4828	._cache_4363463463464363463463463.exe	171
PID 4828 wrote to memory of 5536	4828	._cache_4363463463464363463463463.exe	1066
PID 4828 wrote to memory of 5536	4828	._cache_4363463463464363463463463.exe	1066
PID 1404 wrote to memory of 4536	1404	._cache_Synaptics.exe	119
PID 1404 wrote to memory of 4536	1404	._cache_Synaptics.exe	119
PID 1404 wrote to memory of 4536	1404	._cache_Synaptics.exe	119
PID 4828 wrote to memory of 4008	4828	._cache_4363463463464363463463463.exe	155
PID 4828 wrote to memory of 4008	4828	._cache_4363463463464363463463463.exe	155
PID 4828 wrote to memory of 4008	4828	._cache_4363463463464363463463463.exe	155
PID 1404 wrote to memory of 1204	1404	._cache_Synaptics.exe	1017
PID 1404 wrote to memory of 1204	1404	._cache_Synaptics.exe	1017
PID 1404 wrote to memory of 1204	1404	._cache_Synaptics.exe	1017
PID 4828 wrote to memory of 412	4828	._cache_4363463463464363463463463.exe	725
PID 4828 wrote to memory of 412	4828	._cache_4363463463464363463463463.exe	725
PID 4828 wrote to memory of 412	4828	._cache_4363463463464363463463463.exe	725
PID 3868 wrote to memory of 6108	3868	4434.exe	126
PID 3868 wrote to memory of 6108	3868	4434.exe	126
PID 3868 wrote to memory of 6108	3868	4434.exe	126
PID 3868 wrote to memory of 6108	3868	4434.exe	126
PID 3868 wrote to memory of 6108	3868	4434.exe	126
PID 3868 wrote to memory of 6108	3868	4434.exe	126
PID 3868 wrote to memory of 6108	3868	4434.exe	126
PID 3868 wrote to memory of 6108	3868	4434.exe	126
PID 3868 wrote to memory of 6108	3868	4434.exe	126
PID 4828 wrote to memory of 5248	4828	._cache_4363463463464363463463463.exe	127
PID 4828 wrote to memory of 5248	4828	._cache_4363463463464363463463463.exe	127
PID 4828 wrote to memory of 5248	4828	._cache_4363463463464363463463463.exe	127
PID 4008 wrote to memory of 3208	4008	tdrpl.exe	128
PID 4008 wrote to memory of 3208	4008	tdrpl.exe	128
PID 4008 wrote to memory of 3208	4008	tdrpl.exe	128
PID 4828 wrote to memory of 5404	4828	._cache_4363463463464363463463463.exe	421
PID 4828 wrote to memory of 5404	4828	._cache_4363463463464363463463463.exe	421
PID 4828 wrote to memory of 5404	4828	._cache_4363463463464363463463463.exe	421
PID 4536 wrote to memory of 2008	4536	aqbjn3fl.exe	164

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:312
- C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe"
  2⤵
  - Downloads MZ/PE file
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5188
- - C:\Users\Admin\AppData\Local\Temp\Files\4434.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\4434.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6108
- - C:\Users\Admin\AppData\Local\Temp\Files\processclass.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\processclass.exe"
    3⤵
    - Executes dropped EXE
    PID:5536
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start context.exe
      4⤵
      PID:6316
    - - C:\Users\Admin\AppData\Local\Temp\Files\context.exe
        
        context.exe
        5⤵
        
        PID:540
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat
        6⤵
        
        PID:7052
- - C:\Users\Admin\AppData\Local\Temp\Files\tdrpl.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tdrpl.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Windows\sysldpsvc.exe
      C:\Windows\sysldpsvc.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3208
- - C:\Users\Admin\AppData\Local\Temp\Files\cHSzTDjVl.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\cHSzTDjVl.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:412
- - C:\Users\Admin\AppData\Local\Temp\Files\MYNEWRDX.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\MYNEWRDX.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5248
- - C:\Users\Admin\AppData\Local\Temp\Files\am209.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\am209.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:5404
  - - C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
      "C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1572
    - - C:\Users\Admin\AppData\Local\Temp\10071750101\643870cc31.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10071750101\643870cc31.exe"
        5⤵
        
        PID:648
      - C:\Users\Admin\AppData\Local\Temp\f1e82329e5\namez.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f1e82329e5\namez.exe"
        6⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\10000410101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000410101\amnew.exe"
        7⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\10000460101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000460101\amnew.exe"
        7⤵
        
        PID:3928
- - C:\Users\Admin\AppData\Local\Temp\Files\Google%20Chrome.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Google%20Chrome.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:5564
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9DE6.tmp\9DF6.tmp\9DF7.bat C:\Users\Admin\AppData\Local\Temp\Files\Google%20Chrome.exe"
      4⤵
      Checks computer location settings
      PID:5780
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" https://hoiquannet.com/301 https://bunchatv1.com
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2724
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd2851dcf8,0x7ffd2851dd04,0x7ffd2851dd10
        6⤵
        
        PID:4424
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1944,i,2346607745832838063,17340765638534609626,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=2220 /prefetch:3
        6⤵
        
        PID:1468
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2124,i,2346607745832838063,17340765638534609626,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=2120 /prefetch:2
        6⤵
        
        PID:4624
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2268,i,2346607745832838063,17340765638534609626,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=2500 /prefetch:8
        6⤵
        
        PID:5216
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,2346607745832838063,17340765638534609626,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=3188 /prefetch:1
        6⤵
        
        PID:3440
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,2346607745832838063,17340765638534609626,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=3232 /prefetch:1
        6⤵
        
        PID:1556
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3656,i,2346607745832838063,17340765638534609626,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=3672 /prefetch:1
        6⤵
        
        PID:5772
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4552,i,2346607745832838063,17340765638534609626,262144 --variations-seed-version=20250409-205551.032000 --mojo-platform-channel-handle=4560 /prefetch:2
        6⤵
        
        PID:4440
- - C:\Users\Admin\AppData\Local\Temp\Files\TORRENTOLD-1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\TORRENTOLD-1.exe"
    3⤵
    PID:5696
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:6220
- - C:\Users\Admin\AppData\Local\Temp\Files\jsawdtyjde.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\jsawdtyjde.exe"
    3⤵
    PID:1156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
      4⤵
      PID:12088
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe
        
        clamer.exe -priverdD
        5⤵
        
        PID:6472
      - C:\Users\Admin\AppData\Local\Temp\RarSFX1\thkdh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\thkdh.exe"
        6⤵
        
        PID:3800
- - C:\Users\Admin\AppData\Local\Temp\Files\Vn70wVxW.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Vn70wVxW.exe"
    3⤵
    PID:6340
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:6116
- - C:\Users\Admin\AppData\Local\Temp\Files\cssgo.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\cssgo.exe"
    3⤵
    PID:5192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5192 -s 1676
      4⤵
      Program crash
      PID:5828
- - C:\Users\Admin\AppData\Local\Temp\Files\audi.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\audi.exe"
    3⤵
    PID:5372
  - - C:\Program Files (x86)\1.exe
      "C:\Program Files (x86)\1.exe" 0
      4⤵
      PID:9140
    - - C:\Users\Admin\AppData\Local\Temp\Files\._cache_1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\._cache_1.exe" 0
        5⤵
        
        PID:7188
  - - C:\Program Files (x86)\2.exe
      "C:\Program Files (x86)\2.exe" 0
      4⤵
      PID:9864
    - - C:\Users\Admin\AppData\Local\Temp\Files\._cache_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\._cache_2.exe" 0
        5⤵
        
        PID:10968
  - - C:\Program Files (x86)\3.exe
      "C:\Program Files (x86)\3.exe" 0
      4⤵
      PID:636
  - - C:\Program Files (x86)\4.exe
      "C:\Program Files (x86)\4.exe" 0
      4⤵
      PID:11952
  - - C:\Windows\wic.exe
      "C:\Windows\wic.exe" 0
      4⤵
      PID:10872
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "shutdown /r /t 0"
        5⤵
        
        PID:5704
      - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown /r /t 0
        6⤵
        
        PID:7308
- - C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
    3⤵
    PID:2780
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6888
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
      4⤵
      PID:8892
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2324
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ioATBNhA7BiS.bat" "
        5⤵
        
        PID:660
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3744
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:9952
      - C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
        6⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4940
- - C:\Users\Admin\AppData\Local\Temp\Files\mzjfgebm.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\mzjfgebm.exe"
    3⤵
    PID:9992
- - C:\Users\Admin\AppData\Local\Temp\Files\leetspoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\leetspoofer.exe"
    3⤵
    PID:11024
- - C:\Users\Admin\AppData\Local\Temp\Files\Quas13k.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Quas13k.exe"
    3⤵
    PID:11924
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "MicrosoftQuasUpdate" /sc ONLOGON /tr "C:\Windows\system32\explorer\explorer.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:8328
- - C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe"
    3⤵
    PID:10544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAEYAaQBsAGUAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAGQAbwBjAHUAbQBlAG4AdABzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABkAG8AYwB1AG0AZQBuAHQAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlAA==
      4⤵
      PID:7684
- - C:\Users\Admin\AppData\Local\Temp\Files\Pack_Brout_ncrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Pack_Brout_ncrypt.exe"
    3⤵
    PID:4516
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\31C0.tmp\31C1.tmp\31C2.bat C:\Users\Admin\AppData\Local\Temp\Files\Pack_Brout_ncrypt.exe"
      4⤵
      PID:12052
    - - C:\Windows\system32\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        5⤵
        
        PID:12180
    - - C:\Users\Admin\AppData\Local\Temp\Files\PowerShell.exe
        
        powershell.exe -command "Add-MpPreference -ExclusionExtension '.exe'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1156
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "PowerShell" /tr "C:\Users\Admin\AppData\Roaming\PowerShell.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:712
    - - C:\Users\Admin\AppData\Local\Temp\Files\PowerShell.exe
        
        powershell.exe -command "Add-MpPreference -ExclusionExtension '.bat'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4740
- - C:\Users\Admin\AppData\Local\Temp\Files\jokererer.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\jokererer.exe"
    3⤵
    PID:9728
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:4888
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:9312
- - C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe"
    3⤵
    PID:6368
- - C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
    3⤵
    PID:9596
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5684
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Downloads MZ/PE file
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Users\Admin\AppData\Local\Temp\Files\ZZZ.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\ZZZ.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3832
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 440
        5⤵
        Program crash
        
        PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\Files\hack.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\hack.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4440
    - - C:\windows\system32\mspaint.exe
        
        C:\windows\system32\mspaint.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:3608
  - - C:\Users\Admin\AppData\Local\Temp\Files\aqbjn3fl.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\aqbjn3fl.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4536
    - - C:\Users\Admin\AppData\Local\Temp\Files\aqbjn3fl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\aqbjn3fl.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\Files\stub.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1204
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 440
        5⤵
        Program crash
        
        PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\Files\kmvcsaed.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\kmvcsaed.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5164
  - - C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:828
    - - C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        5⤵
        
        PID:4004
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Apg6L4LgWWl8.bat" "
        6⤵
        
        PID:5648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:396
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        7⤵
        
        PID:4648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKSA9mPazIVq.bat" "
        8⤵
        
        PID:5400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:8076
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:11200
  - - C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
      4⤵
      PID:4008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Wave.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Wave.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7560
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Wave" /tr "C:\Users\Admin\AppData\Roaming\Wave.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3804
- C:\ProgramData\Synaptics\Synaptics.exe
  C:\ProgramData\Synaptics\Synaptics.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\SysWOW64\._cache_Synaptics.exe
    "C:\Windows\system32\._cache_Synaptics.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1908
  - - C:\Windows\SysWOW64\Files\cHSzTDjVl.exe
      "C:\Windows\System32\Files\cHSzTDjVl.exe"
      4⤵
      PID:6756
  - - C:\Windows\SysWOW64\Files\CritScript.exe
      "C:\Windows\System32\Files\CritScript.exe"
      4⤵
      PID:7096
    - - C:\Users\Admin\AppData\Local\Temp\JUSCHED.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\JUSCHED.EXE"
        5⤵
        
        PID:5876
  - - C:\Windows\SysWOW64\Files\Armanivenntii_crypted_EASY.exe
      "C:\Windows\System32\Files\Armanivenntii_crypted_EASY.exe"
      4⤵
      PID:6340
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
        5⤵
        
        PID:5396
  - - C:\Windows\SysWOW64\Files\morphic.exe
      "C:\Windows\System32\Files\morphic.exe"
      4⤵
      PID:6580
  - - C:\Windows\SysWOW64\Files\TPB-1.exe
      "C:\Windows\System32\Files\TPB-1.exe"
      4⤵
      PID:6540
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:2784
  - - C:\Windows\SysWOW64\Files\vtoroy.exe
      "C:\Windows\System32\Files\vtoroy.exe"
      4⤵
      PID:3564
  - - C:\Windows\SysWOW64\Files\gold.rim.exe
      "C:\Windows\System32\Files\gold.rim.exe"
      4⤵
      PID:5264
  - - C:\Windows\SysWOW64\Files\DCRatBuild.exe
      "C:\Windows\System32\Files\DCRatBuild.exe"
      4⤵
      PID:2872
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Hyperruntimeperf\1BsDc3sv0Ug0mZu.vbe"
        5⤵
        
        PID:6504
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Hyperruntimeperf\vPQVVqEr.bat" "
        6⤵
        
        PID:5336
  - - C:\Windows\SysWOW64\Files\europe123.exe
      "C:\Windows\System32\Files\europe123.exe"
      4⤵
      PID:1512
  - - C:\Windows\SysWOW64\Files\SearchUII.exe
      "C:\Windows\System32\Files\SearchUII.exe"
      4⤵
      PID:6536
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\SysWOW64\Files\SearchUII.exe" "SearchUII.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:7580
  - - C:\Windows\SysWOW64\Files\peinf.exe
      "C:\Windows\System32\Files\peinf.exe"
      4⤵
      PID:1284
  - - C:\Windows\SysWOW64\Files\Service.exe
      "C:\Windows\System32\Files\Service.exe"
      4⤵
      PID:2500
  - - C:\Windows\SysWOW64\Files\tcoin.exe
      "C:\Windows\System32\Files\tcoin.exe"
      4⤵
      PID:1604
  - - C:\Windows\SysWOW64\Files\87f3f2.exe
      "C:\Windows\System32\Files\87f3f2.exe"
      4⤵
      PID:8552
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:8600
  - - C:\Windows\SysWOW64\Files\injector.exe
      "C:\Windows\System32\Files\injector.exe"
      4⤵
      PID:9024
  - - C:\Windows\SysWOW64\Files\payload.exe
      "C:\Windows\System32\Files\payload.exe"
      4⤵
      PID:6872
  - - C:\Windows\SysWOW64\Files\setup.exe
      "C:\Windows\System32\Files\setup.exe"
      4⤵
      PID:6620
  - - C:\Windows\SysWOW64\Files\3544436.exe
      "C:\Windows\System32\Files\3544436.exe"
      4⤵
      PID:7436
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:9568
  - - C:\Windows\SysWOW64\Files\VOLATUS0.5.exe
      "C:\Windows\System32\Files\VOLATUS0.5.exe"
      4⤵
      PID:7536

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3832 -ip 3832
1⤵
PID:828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1204 -ip 1204
1⤵
PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\sysldpsvc.exe
1⤵
PID:5468
- C:\Windows\sysldpsvc.exe
  C:\Windows\sysldpsvc.exe
  2⤵
  - Executes dropped EXE
  PID:1224

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5752
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4752
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5884
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2008
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2580
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3744
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3868
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5032
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5496
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5652
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:936
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2824
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6236
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6480
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6656
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6664
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6892
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6900
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6416

C:\Users\Admin\AppData\Local\Temp\f1e82329e5\namez.exe
C:\Users\Admin\AppData\Local\Temp\f1e82329e5\namez.exe
1⤵
PID:6944

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
1⤵
PID:7108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3920
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5064
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2800
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6364

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6060
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1480
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6628
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5984
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6244
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6860
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2764
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4524
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6120
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5532
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6912
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4988
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3480
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6344
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5624
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:388
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5032
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6100
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5192
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:3872

C:\Windows\SysWOW64\fontdrvhost.exe
"C:\Windows\System32\fontdrvhost.exe"
1⤵
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6540
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2024
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4880
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5468
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2720
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5088
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1668
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6836
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1656
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6616
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6880
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6032
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6772
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5020
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6136
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6776
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4804
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6664
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6220
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5404
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7160
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5244
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6912
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1632
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5636
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:860
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6024
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7132
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5896
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4616
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6448
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4796
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5212
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6096
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7248
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7256
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7532
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7544
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7736
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7748
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6376

C:\Users\Admin\AppData\Local\Temp\f1e82329e5\namez.exe
C:\Users\Admin\AppData\Local\Temp\f1e82329e5\namez.exe
1⤵
PID:7864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7880
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7888
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7980

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
1⤵
PID:7900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8008
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8056
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1228
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3292
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7552
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7412
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2900
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5160
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6780
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1044
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7516
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2696
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4624
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7492
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6192
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6708
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7796
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7484
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7848
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3460
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3712
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7504

C:\Windows\system32\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f/im cmd.exe
1⤵
- Kills process with taskkill
PID:7780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7292
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7448
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8176
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6496
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5096
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5164
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4272
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6256
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5068
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3832
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7084
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4684
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6836
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1376
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6052
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8332
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8344
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8676
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8880
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8896
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9084
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9096
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5100
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7468
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4644
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8536
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2600
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5500
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3840
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8984
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7768
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:12108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4704
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8296
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9020
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11352

C:\Windows\system32\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im cmd.exe
1⤵
- Kills process with taskkill
PID:5656
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7508
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7224
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9016
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6616
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6036
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9200
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2980
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6396
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4892
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6716
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3244
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3360
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7008
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8692
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8472
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4980
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:12096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3296
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6560
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1952
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2672
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7808
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:412
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:12020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4976
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:12260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5528
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7868

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
1⤵
PID:9040

C:\Users\Admin\AppData\Local\Temp\f1e82329e5\namez.exe
C:\Users\Admin\AppData\Local\Temp\f1e82329e5\namez.exe
1⤵
PID:7196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9232
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9240
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:12024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9704
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9712
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9912
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8776
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10152
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:12108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6068
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11544
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:12224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11552
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10992
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11052
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5192 -ip 5192
1⤵
PID:11112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:12132
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10196
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4556
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10764
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11480
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10976
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:12280
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11376
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11884
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10792
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10396
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10048
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5828
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8096
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4700
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:12188
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8172
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10324
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11212
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9452
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3248
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10768
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4452
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5088
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2096
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:404
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
1⤵
PID:4752
- C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
  2⤵
  PID:3312
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:12068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4984
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9780
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10312
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7320
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9632
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11028
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5192
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8920
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6664
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6344
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8564
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8924
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4888
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6804
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8872
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10960
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8396
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7456
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11652
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9320
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9928
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5540
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5832
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8992
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9176
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7792
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11492
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:12192
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7956
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4924

C:\Users\Admin\AppData\Local\Temp\f1e82329e5\namez.exe
C:\Users\Admin\AppData\Local\Temp\f1e82329e5\namez.exe
1⤵
PID:9416

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
1⤵
PID:8836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11584
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9208
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1140
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10132
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5488
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7460
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2620
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5448
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10340
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9892
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\documents\OneDrive.exe
1⤵
PID:4580
- C:\Users\Admin\documents\OneDrive.exe
  C:\Users\Admin\documents\OneDrive.exe
  2⤵
  PID:10692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11460
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11744
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2260
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4068
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11228
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 876
    3⤵
    - Program crash
    PID:11684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10180
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8908
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
1⤵
PID:11708
- C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
  2⤵
  PID:7272
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TdcbblDJ951e.bat" "
    3⤵
    PID:10840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11312
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11692
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3360
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6584
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8416
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8416 -s 772
    3⤵
    - Program crash
    PID:10376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10640
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2544
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4896
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10952
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2244
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8776
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11864
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11972
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6032
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9592
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6292
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:12280
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6120
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7392
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8116
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9276
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10656
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1104
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5388
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8696
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10048
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:12180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11376
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11152
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9416
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:12208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9988
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10860
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10652
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6500
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10192

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3ea6855 /state1:0x41c64e6d
1⤵
PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
1⤵
PID:6360
- C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
  2⤵
  PID:8308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 8416 -ip 8416
1⤵
PID:7800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7636
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7864
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9124
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11756
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9732
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11772
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4632 -ip 4632
1⤵
PID:10248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8448
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5936
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO
1⤵
PID:7548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO
1⤵
PID:11456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe
1⤵
PID:9816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe
1⤵
PID:10984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
1⤵
PID:8284

C:\Users\Admin\AppData\Local\Temp\f1e82329e5\namez.exe
C:\Users\Admin\AppData\Local\Temp\f1e82329e5\namez.exe
1⤵
PID:10016

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
1⤵
PID:7744

C:\ProgramData\muhhi\ntcmn.exe
C:\ProgramData\muhhi\ntcmn.exe
1⤵
PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Wave.exe
1⤵
PID:11308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4776
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7216
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9752
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2720
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6776
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11416
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:12256
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7328
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe"
1⤵
PID:4964
- C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Client.exe
  2⤵
  PID:7796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4496
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11096
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4696
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9876
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7920
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7212
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7412
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8176
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7580
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8760
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8752
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2288
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9020
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:968
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:12184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1088
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8396
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2080
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8324
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6228
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7020
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6984
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5592
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8012
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1952
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2512
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10076
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8576
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10992
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2672
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4896
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8892
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8980
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6976
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:12216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8744
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9640
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9980
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:432
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10064
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2952
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2892
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7364
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:12244
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2408
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1784
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10448
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3848
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5104
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7112
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8196
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10436
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9364
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5856
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11160

C:\Users\Admin\AppData\Local\Temp\f1e82329e5\namez.exe
C:\Users\Admin\AppData\Local\Temp\f1e82329e5\namez.exe
1⤵
PID:8636

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
1⤵
PID:10780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4132
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4044
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11776

C:\ProgramData\muhhi\ntcmn.exe
C:\ProgramData\muhhi\ntcmn.exe
1⤵
PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6896
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5720
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11856
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:3464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6372
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:9860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4260
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9252
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:12112
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8504
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9392
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:12204
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11596
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:9952
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10384
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:100
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:6392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6136
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:12068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5332
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4564
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:1236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3496
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10908
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:11112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1940
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:5400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4404
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:7448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6252
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:8108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8148
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6272
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:10184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:7508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6576
- C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Files\Server.exe ..
  2⤵
  PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:6668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:10644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:3200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:8956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe" ..
1⤵
PID:11336

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

Remote System Discovery

T1018

System Information Discovery