blackmoon | 86634d71d3f5222dbc006286a0550d5f0ab5f9425b10bf29b36e28517a7a8fb8

Analysis

max time kernel
149s
max time network
102s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
22/04/2025, 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
Size

179KB
MD5

cc19f145489cbdfea8b86789a5897e92
SHA1

d137788d1c609dc801aec1eb314ea9c81aefff94
SHA256

86634d71d3f5222dbc006286a0550d5f0ab5f9425b10bf29b36e28517a7a8fb8
SHA512

7b5adc783c9619a1773cf66c9e4272215b0ac0dbae4d2d5611229a497039f864f275543d4f636580c0ea794837eacf4452461b722c3e724ed84e23854f87ada3
SSDEEP

3072:Q+twMj1oKKMWfSp+RgCq84f9Z2Pmj13qgiyfs/mjN1/O9H02T1XDPEHnf9Wu:xtwXnMWffgCqp9cg6kBT8HJTlPE1Wu

Score

10^/10

blackmoon banker defense_evasion discovery persistence trojan vmprotect

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/memory/952-18-0x0000000000400000-0x0000000000449200-memory.dmp	family_blackmoon

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe

Executes dropped EXE 1 IoCs

pid	Process
1708	Cmweu1u.exe

Loads dropped DLL 64 IoCs

pid	Process
5288	rundll32.exe
2236	rundll32.exe
4112	rundll32.exe
1048	rundll32.exe
3068	rundll32.exe
1180	rundll32.exe
2724	rundll32.exe
3080	rundll32.exe
5332	rundll32.exe
2968	rundll32.exe
3548	rundll32.exe
5256	rundll32.exe
4608	rundll32.exe
4884	rundll32.exe
3184	rundll32.exe
1156	rundll32.exe
5128	rundll32.exe
488	rundll32.exe
2272	rundll32.exe
3176	rundll32.exe
3240	rundll32.exe
4476	rundll32.exe
5284	rundll32.exe
4904	rundll32.exe
4516	rundll32.exe
5024	rundll32.exe
2332	rundll32.exe
5016	rundll32.exe
3224	rundll32.exe
5008	rundll32.exe
4872	rundll32.exe
4852	rundll32.exe
5232	rundll32.exe
6072	rundll32.exe
5820	rundll32.exe
1376	rundll32.exe
3908	rundll32.exe
6088	rundll32.exe
2732	rundll32.exe
4336	rundll32.exe
5248	rundll32.exe
5368	rundll32.exe
1168	rundll32.exe
1732	rundll32.exe
1692	rundll32.exe
972	rundll32.exe
1492	rundll32.exe
4636	rundll32.exe
4680	rundll32.exe
6056	rundll32.exe
840	rundll32.exe
2716	rundll32.exe
2348	rundll32.exe
2784	rundll32.exe
1032	rundll32.exe
3180	rundll32.exe
4956	rundll32.exe
5588	rundll32.exe
2324	rundll32.exe
5040	rundll32.exe
3616	rundll32.exe
708	rundll32.exe
1648	rundll32.exe
5392	rundll32.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x001a00000002b17d-13.dat	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\Configuring = "rundll32.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\240611484.txt,M"	rundll32.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmweu1u.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
952	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
952	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
952	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
952	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
952	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
952	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
952	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
952	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
5288	rundll32.exe
5288	rundll32.exe
952	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
952	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
5288	rundll32.exe
5288	rundll32.exe
4112	rundll32.exe
4112	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
3068	rundll32.exe
3068	rundll32.exe
1180	rundll32.exe
1180	rundll32.exe
2724	rundll32.exe
2724	rundll32.exe
3080	rundll32.exe
3080	rundll32.exe
5332	rundll32.exe
5332	rundll32.exe
2968	rundll32.exe
2968	rundll32.exe
3548	rundll32.exe
3548	rundll32.exe
5256	rundll32.exe
5256	rundll32.exe
4608	rundll32.exe
4608	rundll32.exe
4884	rundll32.exe
4884	rundll32.exe
3184	rundll32.exe
3184	rundll32.exe
1156	rundll32.exe
1156	rundll32.exe
5128	rundll32.exe
5128	rundll32.exe
488	rundll32.exe
488	rundll32.exe
2272	rundll32.exe
2272	rundll32.exe
3176	rundll32.exe
3176	rundll32.exe
3240	rundll32.exe
3240	rundll32.exe
4476	rundll32.exe
4476	rundll32.exe
5284	rundll32.exe
5284	rundll32.exe
4904	rundll32.exe
4904	rundll32.exe
4516	rundll32.exe
4516	rundll32.exe
5024	rundll32.exe
5024	rundll32.exe
2332	rundll32.exe
2332	rundll32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5288	rundll32.exe
2236	rundll32.exe
4112	rundll32.exe
1048	rundll32.exe
3068	rundll32.exe
1180	rundll32.exe
2724	rundll32.exe
3080	rundll32.exe
5332	rundll32.exe
2968	rundll32.exe
3548	rundll32.exe
5256	rundll32.exe
4608	rundll32.exe
4884	rundll32.exe
3184	rundll32.exe
1156	rundll32.exe
5128	rundll32.exe
488	rundll32.exe
2272	rundll32.exe
3176	rundll32.exe
3240	rundll32.exe
4476	rundll32.exe
5284	rundll32.exe
4904	rundll32.exe
4516	rundll32.exe
5024	rundll32.exe
2332	rundll32.exe
5016	rundll32.exe
3224	rundll32.exe
5008	rundll32.exe
4872	rundll32.exe
4852	rundll32.exe
5232	rundll32.exe
6072	rundll32.exe
5820	rundll32.exe
1376	rundll32.exe
3908	rundll32.exe
6088	rundll32.exe
2732	rundll32.exe
4336	rundll32.exe
5248	rundll32.exe
5368	rundll32.exe
1168	rundll32.exe
1732	rundll32.exe
1692	rundll32.exe
972	rundll32.exe
1492	rundll32.exe
4636	rundll32.exe
4680	rundll32.exe
6056	rundll32.exe
840	rundll32.exe
2716	rundll32.exe
2348	rundll32.exe
2784	rundll32.exe
1032	rundll32.exe
3180	rundll32.exe
4956	rundll32.exe
5588	rundll32.exe
2324	rundll32.exe
5040	rundll32.exe
3616	rundll32.exe
708	rundll32.exe
1648	rundll32.exe
5392	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 1708	952	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe	79
PID 952 wrote to memory of 1708	952	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe	79
PID 952 wrote to memory of 1708	952	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe	79
PID 1708 wrote to memory of 5288	1708	Cmweu1u.exe	80
PID 1708 wrote to memory of 5288	1708	Cmweu1u.exe	80
PID 1708 wrote to memory of 5288	1708	Cmweu1u.exe	80
PID 1708 wrote to memory of 1056	1708	Cmweu1u.exe	81
PID 1708 wrote to memory of 1056	1708	Cmweu1u.exe	81
PID 1708 wrote to memory of 1056	1708	Cmweu1u.exe	81
PID 952 wrote to memory of 4940	952	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe	83
PID 952 wrote to memory of 4940	952	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe	83
PID 952 wrote to memory of 4940	952	JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe	83
PID 5080 wrote to memory of 2292	5080	cmd.exe	87
PID 5080 wrote to memory of 2292	5080	cmd.exe	87
PID 2292 wrote to memory of 2236	2292	rundll32.exe	88
PID 2292 wrote to memory of 2236	2292	rundll32.exe	88
PID 2292 wrote to memory of 2236	2292	rundll32.exe	88
PID 5348 wrote to memory of 1092	5348	cmd.exe	91
PID 5348 wrote to memory of 1092	5348	cmd.exe	91
PID 1092 wrote to memory of 4112	1092	rundll32.exe	92
PID 1092 wrote to memory of 4112	1092	rundll32.exe	92
PID 1092 wrote to memory of 4112	1092	rundll32.exe	92
PID 1060 wrote to memory of 2368	1060	cmd.exe	95
PID 1060 wrote to memory of 2368	1060	cmd.exe	95
PID 2368 wrote to memory of 1048	2368	rundll32.exe	96
PID 2368 wrote to memory of 1048	2368	rundll32.exe	96
PID 2368 wrote to memory of 1048	2368	rundll32.exe	96
PID 3660 wrote to memory of 2504	3660	cmd.exe	99
PID 3660 wrote to memory of 2504	3660	cmd.exe	99
PID 2504 wrote to memory of 3068	2504	rundll32.exe	100
PID 2504 wrote to memory of 3068	2504	rundll32.exe	100
PID 2504 wrote to memory of 3068	2504	rundll32.exe	100
PID 1044 wrote to memory of 960	1044	cmd.exe	103
PID 1044 wrote to memory of 960	1044	cmd.exe	103
PID 960 wrote to memory of 1180	960	rundll32.exe	104
PID 960 wrote to memory of 1180	960	rundll32.exe	104
PID 960 wrote to memory of 1180	960	rundll32.exe	104
PID 552 wrote to memory of 6072	552	cmd.exe	107
PID 552 wrote to memory of 6072	552	cmd.exe	107
PID 6072 wrote to memory of 2724	6072	rundll32.exe	108
PID 6072 wrote to memory of 2724	6072	rundll32.exe	108
PID 6072 wrote to memory of 2724	6072	rundll32.exe	108
PID 5204 wrote to memory of 612	5204	cmd.exe	111
PID 5204 wrote to memory of 612	5204	cmd.exe	111
PID 612 wrote to memory of 3080	612	rundll32.exe	112
PID 612 wrote to memory of 3080	612	rundll32.exe	112
PID 612 wrote to memory of 3080	612	rundll32.exe	112
PID 5380 wrote to memory of 5448	5380	cmd.exe	115
PID 5380 wrote to memory of 5448	5380	cmd.exe	115
PID 5448 wrote to memory of 5332	5448	rundll32.exe	116
PID 5448 wrote to memory of 5332	5448	rundll32.exe	116
PID 5448 wrote to memory of 5332	5448	rundll32.exe	116
PID 3468 wrote to memory of 2064	3468	cmd.exe	119
PID 3468 wrote to memory of 2064	3468	cmd.exe	119
PID 2064 wrote to memory of 2968	2064	rundll32.exe	120
PID 2064 wrote to memory of 2968	2064	rundll32.exe	120
PID 2064 wrote to memory of 2968	2064	rundll32.exe	120
PID 3400 wrote to memory of 5904	3400	cmd.exe	123
PID 3400 wrote to memory of 5904	3400	cmd.exe	123
PID 5904 wrote to memory of 3548	5904	rundll32.exe	124
PID 5904 wrote to memory of 3548	5904	rundll32.exe	124
PID 5904 wrote to memory of 3548	5904	rundll32.exe	124
PID 832 wrote to memory of 2664	832	cmd.exe	127
PID 832 wrote to memory of 2664	832	cmd.exe	127

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:952
- C:\Users\Admin\AppData\Local\Temp\Cmweu1u.exe
  C:\Users\Admin\AppData\Local\Temp\Cmweu1u.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240611484.bat
    3⤵
    PID:1056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cc19f145489cbdfea8b86789a5897e92.exe"
  2⤵
  PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
- Suspicious use of WriteProcessMemory
PID:5348
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6072
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
- Suspicious use of WriteProcessMemory
PID:5204
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
- Suspicious use of WriteProcessMemory
PID:5380
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5448
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5904
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:2664
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:3784
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:6124
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5368
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:1224
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:1420
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:3552
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:3936
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5860
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:1360
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:4676
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:1120
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:6132
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:1312
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:3816
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:4544
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5312
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:3780
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5296
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:4248
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:864
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5156
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:1248
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:2976
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:2920
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:3700
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5052
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:432
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:3980
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5272
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:4924
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4856
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:2292
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4496
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:1092
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4836
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:2368
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:2236
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:3200
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4736
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:4000
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:5232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:2056
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:2724
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:6072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5236
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5840
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:2672
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5608
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:6044
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:2260
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4160
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:1008
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5904
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:2496
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:1552
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:3344
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:3968
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:2436
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4352
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:3152
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:5368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:2412
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:2500
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:3328
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5648
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:1608
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:1360
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5592
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:1164
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5224
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:792
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5992
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:2916
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5864
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:4084
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5516
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:3244
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:2376
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:2268
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:2136
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:1896
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:104
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:4764
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:2256
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:3484
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4752
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:4936
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5108
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5276
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:3596
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5384
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4656
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:924
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:6076
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:3068
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:756
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:1180
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:1392
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:2724
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:1044
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5200
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:716
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4912
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:3908
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4488
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:6008
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5256
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:2180
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5044
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:6096
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5500
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4840
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:2220
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:1952
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5068
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:2500
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:3748
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5856
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:2804
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:3160
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:1512
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5352
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5184
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:1312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:1812
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:576
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:3256
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:2544
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5784
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5736
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:3924
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5896
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:1892
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5160
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4600
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:2268
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:2480
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:740
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:400
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:1880
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:3992
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:1032
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:3096
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:3180
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:2588
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:2212
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4996
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:3788
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:3892
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:456
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4880
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:2308
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:1380
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:4736
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:3896
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:1204
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:3656
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:3660
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:2860
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5820
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5264
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5332
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:2752
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:1096
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:3548
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:3964
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:680
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:4480
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:980
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:2436
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:2708
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:3152
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:6124
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:3376
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5368
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:3184
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:4232
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:2804
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:4092
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4876
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:736
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:904
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5412
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4816
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5404
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:6128
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:2300
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:2156
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:4636
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5644
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:3240
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:2384
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5732
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5296
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:4084
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4304
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5056
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:1388
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:2356
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4804
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:1896
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:2480
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:4772
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:2784
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:432
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5272
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:480
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5276
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4984
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5604
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:4112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:3796
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4216
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5040
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4540
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:3616
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4852
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5336
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4280
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:708
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4632
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:420
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5840
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:3928
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5872
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:860
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:1064
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5464
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:4160
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5416
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:2464
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:3736
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:6080
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:788
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:2296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:3428
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5244
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:1220
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:764
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:3936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:1644
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5324
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5208
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:2312
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:736
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:1548
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5412
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:436
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:3524
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:4128
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:1928
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:2972
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:2028
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:4680
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:5780
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5764
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:3004
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:5472
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:3380
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:4452
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
1⤵
PID:864
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
  2⤵
  PID:6040
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\240611484.txt,M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1896

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240611484.bat

Filesize
130B

MD5
18d8285d786ec10eaa0740b9f10d74dd

SHA1
3a187102cd1633dd748812755d2125ed97c2e1fb

SHA256
4017bab15ad44309f3ff122d0cfe18c2a1d0cf1046937b76a589596f919b68f1

SHA512
4c1e6ce596b0a5165ee072505721de47393cd4cee1ab030404e82e94a5963bb7f805ef4ffa62a1af158cafe2b9eb5d3f66fd7b4098ac9a112684cfea7b360db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\240611484.txt

Filesize
112KB

MD5
517caa9f653c03b451e7ddae0a802cca

SHA1
602ffbb74ed53646b8822efac96ee7ef3743c8bb

SHA256
55745c824b8c4e06e3f9374ba34eb880a5e95614aa3d07d70a31845459f0ccc0

SHA512
a80bfe58940b284f19eb515402df2acec7ec212b762eaf9ef8e10fb8ee81541268d287ec28496be09e0b7f7354a013558217682c8f016b4c11a051259fc7f999

Download Submit
memory/952-0-0x0000000000400000-0x0000000000449200-memory.dmp

Filesize
292KB

Download
memory/952-18-0x0000000000400000-0x0000000000449200-memory.dmp

Filesize
292KB

Download
memory/1708-6-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1708-12-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download