nanocore | a11a2b4877664bfacaa49ce46f161af9e03c0a044832260da0c6977c610cbaae

Target

9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe
Size

1.1MB
MD5

aa4c23269c9b3026cf16225badbf7d5f
SHA1

78247b69edd8cf0bdc064fcae5ab31470c62ab3a
SHA256

9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e
SHA512

c9d6716616ddd6cd2ccf4679af1fbd2dff587f89ba89745c122d82fa8aabd6762a59534ad002c4ea5ddc9373328fbae7588f9d4b071f1083ce91915a73f7ab3c

Score

10^/10

nanocore netwire wshrat botnet evasion keylogger persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

netwire

donphilongz.org:5005

Attributes

activex_autorun
false
activex_key
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
uTGwFNvi
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
NetWire
use_mutex
true

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/520-133-0x0000000000400000-0x0000000000430000-memory.dmp	netwire
behavioral1/memory/852-177-0x0000000000400000-0x0000000000430000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Blocklisted process makes network request 5 IoCs

Processes:

wscript.exewscript.exe

flow pid process

14 1148 wscript.exe
16 1640 wscript.exe
19 1148 wscript.exe
23 1148 wscript.exe
28 1148 wscript.exe

flow	pid	process
14	1148	wscript.exe
16	1640	wscript.exe
19	1148	wscript.exe
23	1148	wscript.exe
28	1148	wscript.exe

Executes dropped EXE 64 IoCs

Processes:

syststemfile.exesystemfiles.exesystemstability.exesystemefile.exesystemefile.exesystemstability.exesystemefile.exesystemstability.exeHost.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exenotepad.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exeHost.exesystemefile.exesystemefile.exeDllHost.exesystemefile.exesystemefile.exesystemefile.exeHost.exenotepad.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exeHost.exe

pid	process
1980	syststemfile.exe
1744	systemfiles.exe
1544	systemstability.exe
1548	systemefile.exe
520	systemefile.exe
1112	systemstability.exe
552	systemefile.exe
560	systemstability.exe
1564	Host.exe
1636	systemefile.exe
336	systemefile.exe
2036	systemefile.exe
952	systemefile.exe
852	systemefile.exe
836	systemefile.exe
1300	systemefile.exe
972	systemefile.exe
608	systemefile.exe
268	systemefile.exe
904	notepad.exe
1836	systemefile.exe
944	systemefile.exe
1704	systemefile.exe
1792	systemefile.exe
1140	systemefile.exe
1532	systemefile.exe
912	systemefile.exe
1468	systemefile.exe
1684	systemefile.exe
944	systemefile.exe
1832	systemefile.exe
1812	systemefile.exe
1560	Host.exe
1840	systemefile.exe
1772	systemefile.exe
904	notepad.exe
1140	systemefile.exe
1532	DllHost.exe
1284	systemefile.exe
1700	systemefile.exe
1560	systemefile.exe
2036	Host.exe
268	systemefile.exe
1320	notepad.exe
1532	DllHost.exe
1840	systemefile.exe
2036	Host.exe
1812	systemefile.exe
1616	systemefile.exe
1468	systemefile.exe
2032	systemefile.exe
2056	systemefile.exe
2072
2100	systemefile.exe
2108	systemefile.exe
2128
2148
2140	systemefile.exe
2172
2180
2200	systemefile.exe
2212	Host.exe
2248
2240

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1112-132-0x0000000000400000-0x000000000047F000-memory.dmp	upx

Drops startup file 19 IoCs

Processes:

notepad.exeWScript.exewscript.exesystemefile.exesystemefile.exesystemefile.exenotepad.exenotepad.exeDllHost.exewscript.exenotepad.exenotepad.exesystemefile.exesystemefile.exesystemefile.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles878.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles878.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	systemefile.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	systemefile.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	systemefile.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lfQEWRrrdw.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemstability.vbs	systemefile.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lfQEWRrrdw.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	systemefile.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	systemefile.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs

Loads dropped DLL 64 IoCs

Processes:

9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exenotepad.exesystemefile.exesystemefile.exesystemstability.exesystemefile.exesystemefile.exesystemefile.exenotepad.exesystemefile.exeHost.exesystemefile.exesystemefile.exesystemefile.exenotepad.exesystemefile.exesystemefile.exenotepad.exeDllHost.exeDllHost.exenotepad.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exe

pid	process
1080	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe
1080	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe
1080	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe
1080	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe
1080	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe
1080	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe
1080	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe
1080	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe
1080	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe
1080	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe
1740	notepad.exe
1740	notepad.exe
836	systemefile.exe
836	systemefile.exe
1548	systemefile.exe
1548	systemefile.exe
1544	systemstability.exe
1544	systemstability.exe
520	systemefile.exe
520	systemefile.exe
552	systemefile.exe
1636	systemefile.exe
1636	systemefile.exe
1420	notepad.exe
1420	notepad.exe
952	systemefile.exe
952	systemefile.exe
2036	Host.exe
1300	systemefile.exe
1300	systemefile.exe
608	systemefile.exe
268	systemefile.exe
268	systemefile.exe
904	notepad.exe
904	notepad.exe
1792	systemefile.exe
1792	systemefile.exe
1368	systemefile.exe
1368	systemefile.exe
680	notepad.exe
680	notepad.exe
1500	DllHost.exe
904	notepad.exe
1500	DllHost.exe
1532	DllHost.exe
1532	DllHost.exe
904	notepad.exe
904	notepad.exe
268	systemefile.exe
268	systemefile.exe
1320	notepad.exe
1320	notepad.exe
1840	systemefile.exe
1840	systemefile.exe
2100	systemefile.exe
2100	systemefile.exe
2092	systemefile.exe
2092	systemefile.exe
2108	systemefile.exe
2164	systemefile.exe
2164	systemefile.exe
2180
2276	systemefile.exe
2276	systemefile.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exewscript.exesystemefile.exewscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\systemfiles878 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemfiles878.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\systemfiles878 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemfiles878.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	systemefile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfQEWRrrdw = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\lfQEWRrrdw.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lfQEWRrrdw = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\lfQEWRrrdw.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\systemfiles878 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemfiles878.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\appdata\\systemefile.exe"	systemefile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\systemfiles878 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemfiles878.js\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\software\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run	wscript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

systemstability.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA systemstability.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	systemstability.exe

flow	ioc
15	ip-api.com

Suspicious use of SetThreadContext 35 IoCs

Processes:

systemefile.exesystemstability.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exenotepad.exeHost.exenotepad.exesystemefile.exesystemefile.exeHost.exesystemefile.exenotepad.exesystemefile.exe

description	pid	process	target process
PID 1548 set thread context of 520	1548	systemefile.exe	systemefile.exe
PID 1544 set thread context of 1112	1544	systemstability.exe	systemstability.exe
PID 1636 set thread context of 336	1636	systemefile.exe	systemefile.exe
PID 952 set thread context of 852	952	systemefile.exe	systemefile.exe
PID 1300 set thread context of 972	1300	systemefile.exe	systemefile.exe
PID 268 set thread context of 904	268	systemefile.exe	notepad.exe
PID 1704 set thread context of 1792	1704	systemefile.exe	systemefile.exe
PID 912 set thread context of 1684	912	systemefile.exe	systemefile.exe
PID 1468 set thread context of 1832	1468	systemefile.exe	systemefile.exe
PID 1812 set thread context of 1840	1812	systemefile.exe	systemefile.exe
PID 904 set thread context of 1532	904	notepad.exe	DllHost.exe
PID 2036 set thread context of 268	2036	Host.exe	systemefile.exe
PID 1320 set thread context of 1840	1320	notepad.exe	systemefile.exe
PID 1616 set thread context of 1468	1616	systemefile.exe	systemefile.exe
PID 2072 set thread context of 2100	2072		systemefile.exe
PID 2148 set thread context of 2172	2148
PID 2140 set thread context of 2200	2140	systemefile.exe	systemefile.exe
PID 2248 set thread context of 2276	2248		systemefile.exe
PID 2240 set thread context of 2308	2240
PID 2268 set thread context of 2368	2268		notepad.exe
PID 2316 set thread context of 2400	2316	Host.exe	systemefile.exe
PID 1700 set thread context of 2436	1700	systemefile.exe	systemefile.exe
PID 2520 set thread context of 2612	2520		systemefile.exe
PID 2376 set thread context of 2604	2376	notepad.exe
PID 2556 set thread context of 2688	2556	systemefile.exe	systemefile.exe
PID 2580 set thread context of 2740	2580		systemefile.exe
PID 2620 set thread context of 2760	2620		systemefile.exe
PID 2768 set thread context of 2836	2768		systemefile.exe
PID 2680 set thread context of 2880	2680		systemefile.exe
PID 2788 set thread context of 2872	2788
PID 2808 set thread context of 3040	2808
PID 3004 set thread context of 1300	3004		systemefile.exe
PID 2936 set thread context of 2072	2936
PID 2996 set thread context of 2100	2996		systemefile.exe
PID 2944 set thread context of 2136	2944		systemefile.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

2408 2232 WerFault.exe

pid	pid_target	process
2408	2232	WerFault.exe

NTFS ADS 15 IoCs

Processes:

systemefile.exenotepad.exenotepad.exesystemefile.exenotepad.exeDllHost.exenotepad.exesystemefile.exesystemefile.exesystemefile.exenotepad.exesystemefile.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe:ZoneIdentifier	systemefile.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	systemefile.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	systemefile.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	systemefile.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	systemefile.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier
File created	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	systemefile.exe

Script User-Agent 64 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	445	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	633	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	666	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	669	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	868	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	1127	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	116	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	467	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	574	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	1227	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	52	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	128	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	951	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	1222	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	559	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	983	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	1110	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	59	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	240	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	687	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	999	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	1173	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	23	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	161	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	164	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	347	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	953	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	978	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	194	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	289	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	328	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	908	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	69	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	544	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	739	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	651	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	747	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	891	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	28	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	267	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	434	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	880	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	1091	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	1240	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	95	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	302	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	372	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	1071	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	1180	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	1263	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	254	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	1026	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	1156	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	397	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	754	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	77	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	787	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	1165	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	340	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	479	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	437	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	646	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	842	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6
HTTP User-Agent header	1042	WSHRAT\|58B980FB\|MRBKYMNO\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 23/6/2021\|JavaScript-v1.6

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

syststemfile.exesystemfiles.exesystemefile.exesystemstability.exesystemefile.exesystemstability.exeHost.exesystemefile.exeHost.exesystemefile.exesystemefile.exesystemstability.exesystemefile.exesystemefile.exesystemefile.exesystemefile.exe

pid	process
1980	syststemfile.exe
1744	systemfiles.exe
1548	systemefile.exe
1544	systemstability.exe
552	systemefile.exe
552	systemefile.exe
560	systemstability.exe
560	systemstability.exe
552	systemefile.exe
560	systemstability.exe
552	systemefile.exe
1564	Host.exe
560	systemstability.exe
552	systemefile.exe
560	systemstability.exe
1636	systemefile.exe
560	systemstability.exe
560	systemstability.exe
2036	Host.exe
2036	Host.exe
952	systemefile.exe
560	systemstability.exe
560	systemstability.exe
2036	Host.exe
560	systemstability.exe
2036	Host.exe
560	systemstability.exe
836	systemefile.exe
836	systemefile.exe
2036	Host.exe
560	systemstability.exe
2036	Host.exe
836	systemefile.exe
560	systemstability.exe
560	systemstability.exe
2036	Host.exe
836	systemefile.exe
560	systemstability.exe
2036	Host.exe
836	systemefile.exe
1112	systemstability.exe
1112	systemstability.exe
1112	systemstability.exe
560	systemstability.exe
2036	Host.exe
836	systemefile.exe
560	systemstability.exe
836	systemefile.exe
2036	Host.exe
560	systemstability.exe
836	systemefile.exe
1300	systemefile.exe
560	systemstability.exe
836	systemefile.exe
608	systemefile.exe
608	systemefile.exe
560	systemstability.exe
836	systemefile.exe
268	systemefile.exe
560	systemstability.exe
836	systemefile.exe
1836	systemefile.exe
1836	systemefile.exe
560	systemstability.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

systemstability.exe

pid process

1112 systemstability.exe

pid	process
1112	systemstability.exe

Suspicious behavior: MapViewOfSection 35 IoCs

Processes:

pid	process
1548	systemefile.exe
1544	systemstability.exe
1636	systemefile.exe
952	systemefile.exe
1300	systemefile.exe
268	systemefile.exe
1704	systemefile.exe
912	systemefile.exe
1468	systemefile.exe
1812	systemefile.exe
904	notepad.exe
2036	Host.exe
1320	notepad.exe
1616	systemefile.exe
2072
2148
2140	systemefile.exe
2248
2240
2268
2316	Host.exe
1700	systemefile.exe
2376	notepad.exe
2520
2556	systemefile.exe
2580
2620
2768
2788
2680
2808
3004
2936
2996
2944

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

systemstability.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 1112 systemstability.exe
Token: SeDebugPrivilege 2408 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1112	systemstability.exe
Token: SeDebugPrivilege	2408	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exesyststemfile.exesystemfiles.exenotepad.exesystemefile.exesystemefile.exesystemstability.exesystemefile.exeHost.exesystemefile.exesystemefile.exe

description	pid	process	target process
PID 1080 wrote to memory of 1980	1080	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe	syststemfile.exe
PID 1080 wrote to memory of 1980	1080	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe	syststemfile.exe
PID 1080 wrote to memory of 1980	1080	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe	syststemfile.exe
PID 1080 wrote to memory of 1980	1080	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe	syststemfile.exe
PID 1980 wrote to memory of 1740	1980	syststemfile.exe	notepad.exe
PID 1980 wrote to memory of 1740	1980	syststemfile.exe	notepad.exe
PID 1980 wrote to memory of 1740	1980	syststemfile.exe	notepad.exe
PID 1980 wrote to memory of 1740	1980	syststemfile.exe	notepad.exe
PID 1980 wrote to memory of 1740	1980	syststemfile.exe	notepad.exe
PID 1980 wrote to memory of 1740	1980	syststemfile.exe	notepad.exe
PID 1080 wrote to memory of 1744	1080	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe	systemfiles.exe
PID 1080 wrote to memory of 1744	1080	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe	systemfiles.exe
PID 1080 wrote to memory of 1744	1080	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe	systemfiles.exe
PID 1080 wrote to memory of 1744	1080	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe	systemfiles.exe
PID 1744 wrote to memory of 836	1744	systemfiles.exe	systemefile.exe
PID 1744 wrote to memory of 836	1744	systemfiles.exe	systemefile.exe
PID 1744 wrote to memory of 836	1744	systemfiles.exe	systemefile.exe
PID 1744 wrote to memory of 836	1744	systemfiles.exe	systemefile.exe
PID 1744 wrote to memory of 836	1744	systemfiles.exe	systemefile.exe
PID 1744 wrote to memory of 836	1744	systemfiles.exe	systemefile.exe
PID 1080 wrote to memory of 1352	1080	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe	WScript.exe
PID 1080 wrote to memory of 1352	1080	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe	WScript.exe
PID 1080 wrote to memory of 1352	1080	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe	WScript.exe
PID 1080 wrote to memory of 1352	1080	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe	WScript.exe
PID 1740 wrote to memory of 1548	1740	notepad.exe	systemefile.exe
PID 1740 wrote to memory of 1548	1740	notepad.exe	systemefile.exe
PID 1740 wrote to memory of 1548	1740	notepad.exe	systemefile.exe
PID 1740 wrote to memory of 1548	1740	notepad.exe	systemefile.exe
PID 836 wrote to memory of 1544	836	systemefile.exe	systemstability.exe
PID 836 wrote to memory of 1544	836	systemefile.exe	systemstability.exe
PID 836 wrote to memory of 1544	836	systemefile.exe	systemstability.exe
PID 836 wrote to memory of 1544	836	systemefile.exe	systemstability.exe
PID 1548 wrote to memory of 520	1548	systemefile.exe	systemefile.exe
PID 1548 wrote to memory of 520	1548	systemefile.exe	systemefile.exe
PID 1548 wrote to memory of 520	1548	systemefile.exe	systemefile.exe
PID 1548 wrote to memory of 520	1548	systemefile.exe	systemefile.exe
PID 1548 wrote to memory of 552	1548	systemefile.exe	systemefile.exe
PID 1548 wrote to memory of 552	1548	systemefile.exe	systemefile.exe
PID 1548 wrote to memory of 552	1548	systemefile.exe	systemefile.exe
PID 1548 wrote to memory of 552	1548	systemefile.exe	systemefile.exe
PID 1544 wrote to memory of 1112	1544	systemstability.exe	systemstability.exe
PID 1544 wrote to memory of 1112	1544	systemstability.exe	systemstability.exe
PID 1544 wrote to memory of 1112	1544	systemstability.exe	systemstability.exe
PID 1544 wrote to memory of 1112	1544	systemstability.exe	systemstability.exe
PID 1544 wrote to memory of 560	1544	systemstability.exe	systemstability.exe
PID 1544 wrote to memory of 560	1544	systemstability.exe	systemstability.exe
PID 1544 wrote to memory of 560	1544	systemstability.exe	systemstability.exe
PID 1544 wrote to memory of 560	1544	systemstability.exe	systemstability.exe
PID 520 wrote to memory of 1564	520	systemefile.exe	Host.exe
PID 520 wrote to memory of 1564	520	systemefile.exe	Host.exe
PID 520 wrote to memory of 1564	520	systemefile.exe	Host.exe
PID 520 wrote to memory of 1564	520	systemefile.exe	Host.exe
PID 1564 wrote to memory of 1420	1564	Host.exe	notepad.exe
PID 1564 wrote to memory of 1420	1564	Host.exe	notepad.exe
PID 1564 wrote to memory of 1420	1564	Host.exe	notepad.exe
PID 1564 wrote to memory of 1420	1564	Host.exe	notepad.exe
PID 1564 wrote to memory of 1420	1564	Host.exe	notepad.exe
PID 1564 wrote to memory of 1420	1564	Host.exe	notepad.exe
PID 552 wrote to memory of 1636	552	systemefile.exe	systemefile.exe
PID 552 wrote to memory of 1636	552	systemefile.exe	systemefile.exe
PID 552 wrote to memory of 1636	552	systemefile.exe	systemefile.exe
PID 552 wrote to memory of 1636	552	systemefile.exe	systemefile.exe
PID 1636 wrote to memory of 336	1636	systemefile.exe	systemefile.exe
PID 1636 wrote to memory of 336	1636	systemefile.exe	systemefile.exe

C:\Users\Admin\AppData\Local\Temp\9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe
"C:\Users\Admin\AppData\Local\Temp\9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\AppData\Local\Temp\RarSFX0\syststemfile.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\syststemfile.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
- Drops startup file
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:520

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
7⤵
- Drops startup file
- Loads dropped DLL
- NTFS ADS
PID:1420

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:952

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
- Executes dropped EXE
- Adds Run key to start application
PID:852

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 852 259302178
9⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:2128

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:2540

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2540 259508536
8⤵
PID:2852

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:2160

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:1196

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1196 259740869
10⤵
PID:2220

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:2096

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:3752

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3752 259900380
12⤵
PID:2704

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:592

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:2180

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 520 259299963
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:552

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
- Executes dropped EXE
PID:336

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 336 259301429
7⤵
- Executes dropped EXE
PID:2036

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:1300

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:972

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 972 259304066
9⤵
PID:608

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:268

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:904

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
12⤵
PID:944

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
13⤵
PID:1368

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:912

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
- Executes dropped EXE
PID:1684

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1684 259305548
15⤵
- Executes dropped EXE
PID:944

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 904 259304534
11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1836

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:1704

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
14⤵
PID:1532

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
15⤵
- Drops startup file
- Loads dropped DLL
- NTFS ADS
PID:680

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:1812

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:1840

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1840 259305953
17⤵
- Executes dropped EXE
PID:1772

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:904

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
19⤵
PID:1532

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
20⤵
- Executes dropped EXE
PID:1560

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
21⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: MapViewOfSection
PID:904

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
22⤵
PID:1320

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1840 259309167
23⤵
PID:1812

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
24⤵
PID:2072

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
24⤵
PID:2056

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1532 259306983
19⤵
- Executes dropped EXE
PID:1284

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
20⤵
PID:2036

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1792 259305127
13⤵
PID:1140

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:1468

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
- Executes dropped EXE
PID:1832

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
16⤵
PID:1468

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1832 259305735
15⤵
PID:1560

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
- Executes dropped EXE
PID:1140

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
15⤵
PID:1500

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:1700

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2436 259314518
17⤵
PID:2444

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:2768

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
19⤵
PID:2836

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2836 259326592
19⤵
PID:2844

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
20⤵
PID:2188

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
21⤵
PID:2288

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2288 259343924
21⤵
PID:2364

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
22⤵
PID:2680

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
23⤵
PID:2812

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2812 259364703
23⤵
PID:2852

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
24⤵
PID:1812

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2832 259386544
25⤵
PID:2768

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
26⤵
PID:2676

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2920 259415107
27⤵
PID:2636

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
28⤵
PID:2832

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2440 259449084
29⤵
PID:2404

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
30⤵
PID:2964

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
29⤵
PID:2440

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
27⤵
PID:2920

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
25⤵
PID:2832

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
26⤵
PID:1924

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
27⤵
PID:1948

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
28⤵
PID:1996

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
29⤵
PID:2716

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2716 259442563
29⤵
PID:1844

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1248 259494387
28⤵
PID:2392

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
29⤵
PID:2708

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
30⤵
PID:992

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 992 259560407
30⤵
PID:2516

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
31⤵
PID:1908

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
32⤵
PID:2832

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
33⤵
PID:2440

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
34⤵
PID:2068

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
35⤵
PID:2552

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2832 259677127
32⤵
PID:2324

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
33⤵
PID:1596

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
34⤵
PID:2964

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
35⤵
PID:3068

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
36⤵
PID:3196

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2964 259912860
34⤵
PID:2168

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
35⤵
PID:1544

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
28⤵
PID:1248

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
29⤵
- Executes dropped EXE
PID:2212

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
30⤵
PID:2204

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
31⤵
PID:1784

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
32⤵
PID:1984

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1984 259593853
32⤵
PID:2192

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
33⤵
PID:2124

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
34⤵
PID:592

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
35⤵
PID:1960

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 592 259666675
34⤵
PID:2688

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
35⤵
PID:1880

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
36⤵
PID:2472

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2472 259790711
36⤵
PID:3352

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
37⤵
PID:3092

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
38⤵
PID:2060

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
31⤵
PID:1784

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1784 259639078
31⤵
PID:2168

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
32⤵
PID:2180

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
33⤵
PID:1420

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1420 259770415
33⤵
PID:3136

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
34⤵
PID:3560

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
35⤵
PID:4060

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4060 259992264
35⤵
PID:608

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
23⤵
PID:1636

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
24⤵
PID:2104

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
25⤵
PID:2188

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
26⤵
PID:2952

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
27⤵
PID:2732

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
28⤵
PID:2584

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2732 259521453
27⤵
PID:2760

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
28⤵
PID:2516

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
29⤵
PID:2416

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2416 259770493
29⤵
PID:3128

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
30⤵
PID:3508

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
31⤵
- Drops startup file
- NTFS ADS
PID:2416

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2416 259976056
31⤵
PID:3412

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
25⤵
PID:1924

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1924 259639374
25⤵
PID:1292

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
26⤵
PID:2772

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
27⤵
PID:2596

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2596 259789042
27⤵
PID:3232

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
28⤵
PID:3668

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
29⤵
PID:3660

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1636 259494434
23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1616

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
24⤵
PID:1172

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
25⤵
PID:2820

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2820 259506617
25⤵
PID:2488

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
26⤵
PID:2136

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
27⤵
PID:1984

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
28⤵
PID:2184

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1984 259679467
27⤵
PID:2904

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
28⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2140

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
29⤵
PID:1528

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1528 259819306
29⤵
PID:3440

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
30⤵
PID:2916

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:2436

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
18⤵
PID:2732

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
19⤵
PID:2852

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
20⤵
PID:3056

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
21⤵
PID:1320

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1320 259338792
21⤵
PID:2260

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
22⤵
PID:2480

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
23⤵
PID:2580

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
24⤵
PID:2760

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
25⤵
PID:2996

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
26⤵
PID:3020

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2040 259381645
27⤵
PID:2328

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
28⤵
PID:316

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
29⤵
PID:2060

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2060 259419600
29⤵
PID:3060

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
30⤵
PID:2544

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
31⤵
PID:2688

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2688 259455246
31⤵
PID:2552

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2196 259496243
29⤵
PID:2244

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
30⤵
PID:3000

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2584 259569845
31⤵
PID:2636

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
32⤵
PID:2112

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2100 259771148
33⤵
PID:2108

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
34⤵
PID:3548

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
35⤵
PID:1212

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1212 259977272
35⤵
PID:2536

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
31⤵
PID:2584

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
29⤵
PID:2196

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
30⤵
PID:2284

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
31⤵
PID:1932

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
32⤵
PID:2512

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2160 259590359
33⤵
PID:1172

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
34⤵
PID:1404

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
35⤵
PID:2448

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2448 259736454
35⤵
PID:2296

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
36⤵
PID:3156

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
37⤵
PID:3620

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
38⤵
PID:3080

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
39⤵
PID:2288

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3620 259912610
37⤵
PID:1636

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
38⤵
PID:2076

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
33⤵
PID:2160

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
27⤵
PID:2040

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2580 259352473
23⤵
PID:2728

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
24⤵
PID:2956

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
25⤵
PID:2112

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2112 259368869
25⤵
PID:2152

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
26⤵
PID:2480

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
27⤵
PID:2728

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
28⤵
PID:2500

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2500 259639234
28⤵
PID:788

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
29⤵
PID:2704

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
30⤵
PID:1636

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1636 259789042
30⤵
PID:3292

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
31⤵
PID:3700

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
32⤵
PID:1936

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2728 259394546
27⤵
PID:2732

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
28⤵
PID:2276

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
29⤵
PID:2312

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
30⤵
PID:2860

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
31⤵
PID:2776

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2312 259434249
29⤵
PID:2196

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
30⤵
PID:2732

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
28⤵
PID:576

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 576 259483857
28⤵
PID:1784

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
29⤵
PID:3000

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2324 259504090
13⤵
- Drops startup file
- Loads dropped DLL
- NTFS ADS
PID:2164

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:2724

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:2524

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2524 259679201
15⤵
PID:3040

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:2344

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:3628

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3628 259893843
17⤵
PID:3488

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:1100

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:2324

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2036

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
12⤵
PID:1320

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:1616

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1468

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1468 259311413
14⤵
- Executes dropped EXE
PID:2032

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 268 259308637
12⤵
PID:1532

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:2316

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:268

C:\Users\Admin\AppData\Local\Temp\RarSFX0\systemfiles.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\systemfiles.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:836

C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe" 2 1112 259300213
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:560

C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe"
5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\systemfiles878.js"
2⤵
- Drops startup file
- Adds Run key to start application
PID:1352

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lfQEWRrrdw.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1148

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\systemfiles878.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1640

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lfQEWRrrdw.js"
4⤵
PID:360

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops startup file
- Loads dropped DLL
- NTFS ADS
PID:1500

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2100 259312162
1⤵
PID:2108

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:2148

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2172 259312880
3⤵
PID:2180

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:2248

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2220 259497382
4⤵
PID:1292

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:1924

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:2200

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2200 259571873
6⤵
PID:2680

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:976

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:2116

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2116 259793503
8⤵
PID:3240

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:3940

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:764

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:2220

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
5⤵
PID:1092

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
PID:1300

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:2064

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 688 259589314
8⤵
PID:2596

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:1060

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:1804

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1804 259782256
10⤵
PID:3216

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:3780

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:688

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:2172

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2276 259313878
1⤵
PID:2284

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:2376

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:2604

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2604 259316733
3⤵
PID:2636

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:2944

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:2136

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
6⤵
PID:2512

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2136 259336327
5⤵
PID:2132

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:2488

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:2632

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2632 259353549
7⤵
PID:864

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:2176

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:2992

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
10⤵
PID:2664

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
11⤵
PID:1824

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:1092

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:2436

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2436 259449537
13⤵
PID:2952

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:2764

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2992 259380381
9⤵
PID:2268

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:2760

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2912 259419085
11⤵
PID:2940

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:2380

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:2100

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2100 259452875
13⤵
PID:2624

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:976

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:2912

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:2368

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
2⤵
PID:2540

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:2656

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:2680

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2880 259326936
5⤵
PID:2888

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:2164

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:2320

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2320 259344189
7⤵
PID:2424

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:2792

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:2916

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2916 259365780
9⤵
PID:2976

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:2504

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2708 259394094
11⤵
PID:2004

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:3008

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:2244

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2244 259423469
13⤵
PID:2116

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:2864

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:1720

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1720 259462329
15⤵
PID:2976

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:1372

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:2708

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:2880

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
6⤵
PID:2200

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
7⤵
PID:760

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:2016

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2640 259361240
9⤵
PID:2636

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:2296

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2716 259383205
11⤵
PID:2368

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:2996

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:2228

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2228 259418165
13⤵
PID:972

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:2248

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 800 259452875
15⤵
PID:2160

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:2416

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:800

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:2716

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:2640

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
10⤵
PID:1320

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
11⤵
PID:2488

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:528

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:2752

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
14⤵
PID:2344

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
15⤵
PID:1220

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:2456

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2096 259460472
17⤵
PID:3036

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:2156

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:2096

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2752 259406995
13⤵
PID:2564

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:3040

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:2768

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
16⤵
PID:1960

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
17⤵
PID:2852

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:960

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
19⤵
PID:2332

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2332 259483389
19⤵
PID:2432

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
20⤵
PID:2812

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
21⤵
PID:1092

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
22⤵
PID:2420

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2420 259740603
22⤵
PID:2064

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1812

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
24⤵
PID:2568

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2568 259974698
24⤵
PID:2040

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2768 259437181
15⤵
PID:1600

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:2812

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2884 259471736
17⤵
PID:2084

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:864

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:2884

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2512 259496165
17⤵
PID:2544

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:2160

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
19⤵
PID:2648

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2648 259568675
19⤵
PID:2352

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
20⤵
PID:2744

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
21⤵
PID:3180

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3180 259828869
21⤵
PID:3772

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
22⤵
PID:2440

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:2512

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
18⤵
PID:2400

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
19⤵
PID:2940

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
20⤵
PID:2388

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2056 259496290
15⤵
PID:2772

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:2308

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2188 259629967
17⤵
PID:764

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:3004

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
19⤵
PID:800

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
20⤵
PID:2116

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 800 259657018
19⤵
PID:1536

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
20⤵
PID:2608

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
21⤵
PID:2928

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2928 259827558
21⤵
PID:3744

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
22⤵
PID:4040

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:2188

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:2056

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2400 259314424
1⤵
PID:2428

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:2620

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:2760

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2760 259320992
3⤵
PID:2776

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:2936

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2072 259335375
5⤵
PID:2120

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:2312

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:2672

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
8⤵
PID:2844

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
9⤵
PID:2092

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:2332

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:2704

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2704 259397760
11⤵
PID:1716

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:2184

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:2828

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
14⤵
PID:2340

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
15⤵
PID:2212

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:2332

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2332 259497803
14⤵
PID:1908

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:3060

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2592 259635896
16⤵
PID:2632

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:2624

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:788

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 788 259777638
18⤵
PID:3200

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
19⤵
PID:3724

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
20⤵
PID:2312

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2312 259975525
20⤵
PID:2152

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:2592

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2828 259434607
13⤵
PID:2132

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:284

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:1220

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1220 259480035
15⤵
PID:2116

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:2560

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1848 259496119
17⤵
PID:2340

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:2956

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
19⤵
PID:1564

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
20⤵
PID:2724

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
21⤵
PID:3024

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
22⤵
PID:3000

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
23⤵
PID:2956

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1564 259665567
19⤵
PID:1312

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
20⤵
PID:2076

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
21⤵
PID:2728

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2728 259830788
21⤵
PID:3824

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
22⤵
PID:3428

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:1848

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:2444

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2444 259504090
15⤵
PID:2864

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:2728

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2672 259353690
7⤵
PID:2824

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:2884

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:3048

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
10⤵
PID:2000

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
11⤵
PID:1664

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:2796

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:1848

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1848 259427213
13⤵
PID:2284

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:2948

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2152 259463936
15⤵
PID:2184

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:972

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2044 259513575
17⤵
PID:2440

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:2228

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
19⤵
PID:2116

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
20⤵
PID:1680

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
21⤵
PID:2548

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
22⤵
PID:2856

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
20⤵
PID:2368

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
21⤵
PID:2972

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2116 259677532
19⤵
PID:760

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
20⤵
PID:2920

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
21⤵
PID:2996

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2996 259819977
21⤵
PID:3464

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
22⤵
PID:2400

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:2044

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
16⤵
PID:2264

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:3516

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:3256

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:2152

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3048 259378260
9⤵
PID:1908

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:2520

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:952

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 952 259400272
11⤵
PID:1804

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:1536

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:1936

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
14⤵
PID:3044

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
15⤵
PID:2220

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:2768

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2524 259493264
17⤵
PID:1916

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:2828

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:2524

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1936 259435029
13⤵
PID:1532

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:2832

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:1092

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1092 259480924
15⤵
PID:2040

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:316

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:2072

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:2416

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:2520

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2612 259316733
3⤵
PID:2628

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:2788

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2872 259327014
5⤵
PID:2896

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:2172

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:2332

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2332 259346592
7⤵
PID:2536

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:1596

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:2936

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2936 259366497
9⤵
PID:3004

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:2508

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2392 259393236
11⤵
PID:2044

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:2960

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2384 259424779
13⤵
PID:2092

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:528

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:1908

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1908 259460426
15⤵
PID:2504

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:2616

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:2384

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
14⤵
PID:1344

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:3808

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:3116

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:2392

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:2872

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:2612

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
PID:2720

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
5⤵
PID:2912

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:972

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:2252

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
8⤵
PID:2592

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
9⤵
PID:2772

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:2808

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2896 259370366
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:268

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:2312

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:1596

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1596 259395560
13⤵
PID:2744

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:2724

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2252 259427634
15⤵
PID:2820

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:2868

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:2364

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2364 259464263
17⤵
PID:2664

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:2696

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:2252

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:2896

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 948 259498084
11⤵
PID:2020

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:2748

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:2560

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2560 259590577
13⤵
PID:2664

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:568

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:608

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 608 259769495
15⤵
PID:2172

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:3588

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:3032

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3032 259998473
17⤵
PID:3332

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:948

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2316

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
13⤵
PID:2796

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:2716

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2416 259607425
15⤵
PID:1948

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:1060

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:2104

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
18⤵
PID:2784

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
19⤵
PID:952

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
20⤵
PID:3948

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
21⤵
PID:2072

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2104 259674022
17⤵
PID:1360

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:2932

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
19⤵
PID:1404

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1404 259844110
19⤵
PID:3896

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
20⤵
- Executes dropped EXE
PID:1560

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:2416

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2252 259339026
7⤵
PID:608

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:2600

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:2724

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2724 259358011
9⤵
PID:1292

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:2096

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:2404

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2404 259388041
11⤵
PID:2436

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:2388

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2888 259422736
13⤵
PID:2500

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:2600

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2104 259450348
15⤵
PID:1940

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:2700

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:2104

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:2888

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
14⤵
PID:2524

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
15⤵
PID:2736

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:2616

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2136 259473592
17⤵
PID:608

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:2136

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:1320

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1320 259498599
17⤵
PID:2228

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:1300

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
19⤵
PID:2888

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2888 259635100
19⤵
PID:2064

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
20⤵
- Executes dropped EXE
PID:1532

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
21⤵
PID:2136

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2136 259786764
21⤵
PID:3224

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
22⤵
PID:3572

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
23⤵
PID:2320

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2320 259975166
23⤵
PID:3236

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:1544

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1544 259499831
2⤵
PID:2100

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 240
1⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:2400

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
2⤵
PID:2564

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:2668

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:2808

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:3040

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3040 259331148
5⤵
PID:3048

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:2336

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:2612

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2612 259353206
7⤵
PID:2620

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:2192

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:2172

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2172 259381005
9⤵
PID:2532

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:2612

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:3016

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
12⤵
PID:2988

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
13⤵
PID:864

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:3056

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:2296

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2296 259473514
15⤵
PID:2128

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:1488

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
15⤵
PID:3000

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
16⤵
PID:3016

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:2204

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:2348

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2348 259555883
18⤵
- Executes dropped EXE
PID:972

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
19⤵
PID:2128

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
20⤵
PID:3000

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3000 259745829
20⤵
PID:2500

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
21⤵
PID:3248

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
22⤵
PID:2528

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2528 259940456
22⤵
PID:3224

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1488 259495760
14⤵
PID:2352

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:1784

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:2600

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2600 259538208
16⤵
PID:2968

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
- Drops startup file
- Loads dropped DLL
- NTFS ADS
PID:2092

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:2364

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2364 259761539
18⤵
PID:2760

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
19⤵
PID:3480

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
20⤵
PID:2516

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3044 259496212
12⤵
PID:2784

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:2388

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2092 259509488
14⤵
PID:2812

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:2092

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:3044

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3016 259418571
11⤵
PID:2300

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:1984

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2044 259449662
13⤵
PID:2580

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:3016

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:2044

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:800

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 800 259498443
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:608

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:1948

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:1220

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:1488

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1488 259637768
9⤵
PID:2512

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:2392

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:2684

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2684 259789432
11⤵
PID:3208

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:3600

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:3280

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3280 259948069
13⤵
PID:2432

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2368 259314299
1⤵
PID:2392

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:2580

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:2740

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
PID:2972

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
5⤵
PID:2056

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:2356

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:2624

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2624 259353112
7⤵
PID:2012

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:1948

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2116 259376029
9⤵
PID:3044

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:2512

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2840 259396060
11⤵
PID:2584

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:2976

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:2420

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
14⤵
PID:2640

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
15⤵
PID:1664

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:2948

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2508 259493810
17⤵
PID:2528

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:2508

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2420 259432642
13⤵
PID:2352

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:1984

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:2600

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
16⤵
PID:2076

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2600 259481642
15⤵
PID:2252

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:2344

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1844 259500487
17⤵
PID:2740

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:2716

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
19⤵
PID:3052

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
20⤵
PID:1072

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
21⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: MapViewOfSection
PID:1320

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
22⤵
PID:3984

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3052 259667501
19⤵
PID:2844

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
20⤵
PID:2776

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
21⤵
PID:3168

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3168 259831412
21⤵
PID:3840

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
22⤵
PID:2712

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:1844

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:2680

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:2840

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2456 259493014
12⤵
PID:2908

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:764

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:2456

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:2116

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2628 259495822
8⤵
PID:1596

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:2680

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2524 259510736
10⤵
PID:2016

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:1092

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:1072

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1072 259660388
12⤵
PID:2016

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:3068

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:2660

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2660 259790258
14⤵
PID:3256

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:3608

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:2504

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:2524

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:2628

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2740 259320758
3⤵
PID:2748

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:2996

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:2100

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2100 259335718
5⤵
PID:2096

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:1188

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:2660

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
8⤵
PID:2836

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
9⤵
PID:1624

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:2352

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:2736

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2736 259394827
11⤵
PID:2720

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:2812

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2156 259431487
13⤵
PID:3028

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:972

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3060 259473467
15⤵
PID:2240

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:3060

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2248 259496290
15⤵
PID:2604

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:2372

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2696 259510595
17⤵
PID:2828

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:2800

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
19⤵
PID:3056

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
20⤵
PID:2608

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2376

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
22⤵
PID:4000

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3056 259678203
19⤵
PID:3004

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
20⤵
PID:1976

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
21⤵
PID:1848

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1848 259842737
21⤵
PID:1368

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
22⤵
PID:3372

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:2696

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:2248

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:2156

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
14⤵
PID:2388

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
15⤵
PID:2376

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
PID:2772

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
17⤵
PID:1172

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1172 259485932
17⤵
PID:992

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
18⤵
PID:2336

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:1628

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1628 259497351
14⤵
PID:2776

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:972

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:1964

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2660 259351677
7⤵
PID:2556

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:2140

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2344 259375124
9⤵
PID:2384

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:2348

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2672 259396434
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2556

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:2112

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2308 259434607
13⤵
PID:2332

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:2584

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2636 259464778
15⤵
PID:2520

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1704

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
15⤵
PID:2636

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:2308

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:2672

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:2344

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
1⤵
PID:2340

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2308 259314112
1⤵
PID:2332

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:2556

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:2688

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
PID:2980

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
5⤵
PID:2160

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:2240

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2664 259351677
7⤵
PID:2676

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:2264

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:2132

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2132 259378494
9⤵
PID:1532

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:2604

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1388 259415918
11⤵
PID:2872

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:2200

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2780 259449708
13⤵
PID:596

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:3040

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:2780

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:1388

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:2664

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2688 259320383
3⤵
PID:2696

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:3004

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:1300

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1300 259335282
5⤵
PID:2068

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:2420

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:2388

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2388 259354610
7⤵
PID:2460

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:2160

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:2020

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
10⤵
PID:2560

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
11⤵
PID:3068

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:2168

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:1544

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1544 259445403
13⤵
PID:468

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:284

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2020 259382129
9⤵
PID:2372

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:336

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:2296

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2296 259422455
11⤵
PID:2836

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
12⤵
PID:2220

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
13⤵
PID:2968

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2968 259456635
13⤵
PID:2564

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
14⤵
PID:2808

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2212 259497289
4⤵
PID:1924

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:764

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2068 259510502
6⤵
PID:1372

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:2360

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:3048

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3048 259767514
8⤵
PID:2912

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:3384

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:2240

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2240 259972530
10⤵
PID:3276

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:2068

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:2212

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:2840

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:2308

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:2276

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:2268

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:2240

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
1⤵
PID:2232

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2200 259313176
1⤵
PID:2212

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:2200

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:2164

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:2140

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
1⤵
PID:2128

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:2100

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:2092

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2792 259494434
1⤵
PID:1196

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:2968

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2552 259506415
3⤵
PID:1528

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:1320

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:2380

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2380 259679701
5⤵
PID:2240

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:2088

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:1072

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1072 259800336
7⤵
PID:4092

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:3028

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:2552

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:1356

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:760

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2456 259499457
2⤵
PID:2508

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:2348

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2296 259511953
4⤵
PID:2832

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:2272

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:2156

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
7⤵
PID:2968

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
8⤵
PID:468

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:2508

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2156 259667096
6⤵
PID:2652

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:1564

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
- Executes dropped EXE
PID:2200

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2200 259824329
8⤵
PID:3732

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:4056

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:2296

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:2456

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:2792

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
2⤵
PID:2668

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1388

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:2468

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:2424

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2424 259520174
5⤵
PID:2428

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1300

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:832

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 832 259680637
7⤵
PID:1996

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
- Drops startup file
- NTFS ADS
PID:2656

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:2736

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2736 259796998
9⤵
PID:3364

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:972

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
11⤵
PID:2188

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:2216

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:3760

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:3892

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3892 259999627
5⤵
PID:2084

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:1936

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2636 259499020
2⤵
PID:2780

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:2176

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2360 259511844
4⤵
PID:1936

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:2204

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:2360

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:2636

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1664 259497382
1⤵
PID:2144

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:1492

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2024 259561701
3⤵
PID:2620

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:2752

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:2088

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
6⤵
PID:2384

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2088 259667767
5⤵
PID:2536

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:2488

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
- Executes dropped EXE
PID:2056

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2056 259822800
7⤵
PID:3536

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:2736

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:2024

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2900 259497569
1⤵
PID:1536

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:2500

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2952 259564681
3⤵
PID:960

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
- Loads dropped DLL
PID:2276

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:1848

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
6⤵
PID:2812

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
7⤵
PID:2332

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:2752

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1848 259678546
5⤵
PID:2740

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:2384

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:3084

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3084 259825811
7⤵
PID:3792

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:3320

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:2952

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2992 259499613
1⤵
PID:3060

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:2304

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:2096

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2096 259515510
3⤵
PID:1072

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:2748

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:2264

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2264 259638766
5⤵
PID:2108

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:688

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:2132

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2132 259790165
7⤵
PID:3272

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:3716

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:1472

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2836 259500346
1⤵
PID:2240

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:2012

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:1916

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:2896

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
PID:2668

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2896 259665114
3⤵
PID:2284

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:592

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:2748

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2748 259827730
5⤵
PID:3580

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:2136

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:1960

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:2836

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:1996

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1996 259500580
1⤵
PID:2172

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:2964

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:2000

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
PID:2508

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
5⤵
PID:2300

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:3916

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2000 259678593
3⤵
PID:2312

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:2888

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:2652

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2652 259830600
5⤵
PID:3932

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:2456

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:2992

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:2900

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
2⤵
PID:592

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:1368

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:1464

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:2364

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2364 259582184
5⤵
PID:1536

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:2916

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:1472

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
8⤵
PID:556

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
9⤵
PID:316

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
10⤵
PID:3208

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1472 259665988
7⤵
PID:2400

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:2908

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:3500

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3500 259879491
9⤵
PID:2204

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:1664

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
2⤵
PID:2596

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:2972

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:2708

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:2656

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2656 259578706
5⤵
PID:1964

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:2432

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:2448

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2448 259831973
7⤵
PID:3688

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:3680

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:3016

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2660 259497289
1⤵
PID:2768

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:2956

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:1980

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1980 259573558
3⤵
PID:2320

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:2152

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:1644

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1644 259807512
5⤵
PID:3472

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:3308

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:2660

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
2⤵
PID:1960

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:2608

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1700

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:2660

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2660 259599173
5⤵
PID:2932

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
6⤵
PID:2600

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
7⤵
PID:2436

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2436 259777451
7⤵
PID:2616

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
8⤵
PID:3964

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
9⤵
PID:3112

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:2860

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:4016

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:3272

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:1564

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:2060

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2060 259504418
1⤵
PID:2088

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:832

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1464 259493872
1⤵
PID:2928

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:1464

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:2012

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2012 259589657
1⤵
PID:2612

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- NTFS ADS
PID:1368

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:2204

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2204 259757763
3⤵
PID:2708

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:3284

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:4072

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4072 259935839
5⤵
PID:2172

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
1⤵
PID:2152

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2152 259639811
1⤵
PID:2976

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
2⤵
PID:2712

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
3⤵
PID:2976

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2976 259782256
3⤵
PID:3148

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
4⤵
PID:3908

C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
"C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
5⤵
PID:4028

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\systemfiles.exe
MD5
ceb6128a4a0dae23a13dbc714f482ecf

SHA1
fdcac72c933cabc746e21b08c28386fd5cc879be

SHA256
3e7e6c0c683f38597cc9ae71a41b4faec31e07e6244693d4d8e2dfda99e02225

SHA512
0048a91e94854587be92929e11562b69852f32b6e4646ae8342149ff94241f69de5ce9bda43f0102e94e38c417abd341dbcb384261299f955ecc7a4c13a54e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\systemfiles.exe
MD5
ceb6128a4a0dae23a13dbc714f482ecf

SHA1
fdcac72c933cabc746e21b08c28386fd5cc879be

SHA256
3e7e6c0c683f38597cc9ae71a41b4faec31e07e6244693d4d8e2dfda99e02225

SHA512
0048a91e94854587be92929e11562b69852f32b6e4646ae8342149ff94241f69de5ce9bda43f0102e94e38c417abd341dbcb384261299f955ecc7a4c13a54e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\systemfiles878.js
MD5
327faf02e528e6e356fc2e92fd8c1d3e

SHA1
550f1188d669145900135c0300630deebcfadf23

SHA256
03849d530ff832cdb13c5d8dd62772575f3f6c56c7cccf5ecd333d5ea27e6efb

SHA512
a23ee3b5fd140fea5b025676b2bebe9e1efb7ac8b836c83d57e3695a185c3dc676cfd444acd34116239679515fa45de3a5cd639eb5c3991d880d323a1ad56281

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\syststemfile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\syststemfile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemfiles878.js
MD5
327faf02e528e6e356fc2e92fd8c1d3e

SHA1
550f1188d669145900135c0300630deebcfadf23

SHA256
03849d530ff832cdb13c5d8dd62772575f3f6c56c7cccf5ecd333d5ea27e6efb

SHA512
a23ee3b5fd140fea5b025676b2bebe9e1efb7ac8b836c83d57e3695a185c3dc676cfd444acd34116239679515fa45de3a5cd639eb5c3991d880d323a1ad56281

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs
MD5
6b17a5baf42e2eced60b40326f06d539

SHA1
7e9f1a9d9f83e89cea6eb1442c2a70dfaa9d94a3

SHA256
4dcd87ba10ee62cea3f021b7d91ed36240e9c64d3218bfaf942e1677695cc411

SHA512
13a02f02088552997c07545fae4d2f0f35490398cc5e46e662c4041bdd905cd65b2e00dd957e369f31d6e020d38978ed3ca9525529c0782badf742a6b00ea651

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles878.js
MD5
327faf02e528e6e356fc2e92fd8c1d3e

SHA1
550f1188d669145900135c0300630deebcfadf23

SHA256
03849d530ff832cdb13c5d8dd62772575f3f6c56c7cccf5ecd333d5ea27e6efb

SHA512
a23ee3b5fd140fea5b025676b2bebe9e1efb7ac8b836c83d57e3695a185c3dc676cfd444acd34116239679515fa45de3a5cd639eb5c3991d880d323a1ad56281

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe
MD5
ceb6128a4a0dae23a13dbc714f482ecf

SHA1
fdcac72c933cabc746e21b08c28386fd5cc879be

SHA256
3e7e6c0c683f38597cc9ae71a41b4faec31e07e6244693d4d8e2dfda99e02225

SHA512
0048a91e94854587be92929e11562b69852f32b6e4646ae8342149ff94241f69de5ce9bda43f0102e94e38c417abd341dbcb384261299f955ecc7a4c13a54e1f

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe
MD5
ceb6128a4a0dae23a13dbc714f482ecf

SHA1
fdcac72c933cabc746e21b08c28386fd5cc879be

SHA256
3e7e6c0c683f38597cc9ae71a41b4faec31e07e6244693d4d8e2dfda99e02225

SHA512
0048a91e94854587be92929e11562b69852f32b6e4646ae8342149ff94241f69de5ce9bda43f0102e94e38c417abd341dbcb384261299f955ecc7a4c13a54e1f

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe
MD5
ceb6128a4a0dae23a13dbc714f482ecf

SHA1
fdcac72c933cabc746e21b08c28386fd5cc879be

SHA256
3e7e6c0c683f38597cc9ae71a41b4faec31e07e6244693d4d8e2dfda99e02225

SHA512
0048a91e94854587be92929e11562b69852f32b6e4646ae8342149ff94241f69de5ce9bda43f0102e94e38c417abd341dbcb384261299f955ecc7a4c13a54e1f

Download Submit
C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe
MD5
ceb6128a4a0dae23a13dbc714f482ecf

SHA1
fdcac72c933cabc746e21b08c28386fd5cc879be

SHA256
3e7e6c0c683f38597cc9ae71a41b4faec31e07e6244693d4d8e2dfda99e02225

SHA512
0048a91e94854587be92929e11562b69852f32b6e4646ae8342149ff94241f69de5ce9bda43f0102e94e38c417abd341dbcb384261299f955ecc7a4c13a54e1f

Download Submit
C:\Users\Admin\AppData\Roaming\lfQEWRrrdw.js
MD5
45f5c927b03df5996b42c0eab0e0f7c7

SHA1
a6e990d3c7bc1e94a1c8fd96674ba818f7e0b83e

SHA256
4fe7a0c1b20ae55003849f7de12b0756434b956676d02fbff06daa9c8d85b0f5

SHA512
4716fc8e7485698d9c4c6c6a52c64fef13e737a935ed4d9fb84e31c1e3a403d6f21cfc64f4910e7bbd38275ecafa15a456044ab68f3471d722585decf04077e9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\systemfiles.exe
MD5
ceb6128a4a0dae23a13dbc714f482ecf

SHA1
fdcac72c933cabc746e21b08c28386fd5cc879be

SHA256
3e7e6c0c683f38597cc9ae71a41b4faec31e07e6244693d4d8e2dfda99e02225

SHA512
0048a91e94854587be92929e11562b69852f32b6e4646ae8342149ff94241f69de5ce9bda43f0102e94e38c417abd341dbcb384261299f955ecc7a4c13a54e1f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\systemfiles.exe
MD5
ceb6128a4a0dae23a13dbc714f482ecf

SHA1
fdcac72c933cabc746e21b08c28386fd5cc879be

SHA256
3e7e6c0c683f38597cc9ae71a41b4faec31e07e6244693d4d8e2dfda99e02225

SHA512
0048a91e94854587be92929e11562b69852f32b6e4646ae8342149ff94241f69de5ce9bda43f0102e94e38c417abd341dbcb384261299f955ecc7a4c13a54e1f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\systemfiles.exe
MD5
ceb6128a4a0dae23a13dbc714f482ecf

SHA1
fdcac72c933cabc746e21b08c28386fd5cc879be

SHA256
3e7e6c0c683f38597cc9ae71a41b4faec31e07e6244693d4d8e2dfda99e02225

SHA512
0048a91e94854587be92929e11562b69852f32b6e4646ae8342149ff94241f69de5ce9bda43f0102e94e38c417abd341dbcb384261299f955ecc7a4c13a54e1f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\systemfiles.exe
MD5
ceb6128a4a0dae23a13dbc714f482ecf

SHA1
fdcac72c933cabc746e21b08c28386fd5cc879be

SHA256
3e7e6c0c683f38597cc9ae71a41b4faec31e07e6244693d4d8e2dfda99e02225

SHA512
0048a91e94854587be92929e11562b69852f32b6e4646ae8342149ff94241f69de5ce9bda43f0102e94e38c417abd341dbcb384261299f955ecc7a4c13a54e1f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\systemfiles.exe
MD5
ceb6128a4a0dae23a13dbc714f482ecf

SHA1
fdcac72c933cabc746e21b08c28386fd5cc879be

SHA256
3e7e6c0c683f38597cc9ae71a41b4faec31e07e6244693d4d8e2dfda99e02225

SHA512
0048a91e94854587be92929e11562b69852f32b6e4646ae8342149ff94241f69de5ce9bda43f0102e94e38c417abd341dbcb384261299f955ecc7a4c13a54e1f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\syststemfile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\syststemfile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\syststemfile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\syststemfile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\syststemfile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Roaming\appdata\systemefile.exe
MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
\Users\Admin\AppData\Roaming\appdata\systemstability.exe
MD5
ceb6128a4a0dae23a13dbc714f482ecf

SHA1
fdcac72c933cabc746e21b08c28386fd5cc879be

SHA256
3e7e6c0c683f38597cc9ae71a41b4faec31e07e6244693d4d8e2dfda99e02225

SHA512
0048a91e94854587be92929e11562b69852f32b6e4646ae8342149ff94241f69de5ce9bda43f0102e94e38c417abd341dbcb384261299f955ecc7a4c13a54e1f

Download Submit
\Users\Admin\AppData\Roaming\appdata\systemstability.exe
MD5
ceb6128a4a0dae23a13dbc714f482ecf

SHA1
fdcac72c933cabc746e21b08c28386fd5cc879be

SHA256
3e7e6c0c683f38597cc9ae71a41b4faec31e07e6244693d4d8e2dfda99e02225

SHA512
0048a91e94854587be92929e11562b69852f32b6e4646ae8342149ff94241f69de5ce9bda43f0102e94e38c417abd341dbcb384261299f955ecc7a4c13a54e1f

Download Submit
\Users\Admin\AppData\Roaming\appdata\systemstability.exe
MD5
ceb6128a4a0dae23a13dbc714f482ecf

SHA1
fdcac72c933cabc746e21b08c28386fd5cc879be

SHA256
3e7e6c0c683f38597cc9ae71a41b4faec31e07e6244693d4d8e2dfda99e02225

SHA512
0048a91e94854587be92929e11562b69852f32b6e4646ae8342149ff94241f69de5ce9bda43f0102e94e38c417abd341dbcb384261299f955ecc7a4c13a54e1f

Download Submit
\Users\Admin\AppData\Roaming\appdata\systemstability.exe
MD5
ceb6128a4a0dae23a13dbc714f482ecf

SHA1
fdcac72c933cabc746e21b08c28386fd5cc879be

SHA256
3e7e6c0c683f38597cc9ae71a41b4faec31e07e6244693d4d8e2dfda99e02225

SHA512
0048a91e94854587be92929e11562b69852f32b6e4646ae8342149ff94241f69de5ce9bda43f0102e94e38c417abd341dbcb384261299f955ecc7a4c13a54e1f

Download Submit
memory/268-210-0x0000000000000000-mapping.dmp

Download
memory/268-231-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/268-229-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/268-295-0x000000000040242D-mapping.dmp

Download
memory/336-147-0x000000000040242D-mapping.dmp

Download
memory/360-195-0x0000000000000000-mapping.dmp

Download
memory/520-99-0x000000000040242D-mapping.dmp

Download
memory/520-133-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/552-104-0x0000000000000000-mapping.dmp

Download
memory/552-123-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/552-118-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/560-119-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/560-110-0x0000000000000000-mapping.dmp

Download
memory/560-122-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/608-228-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/608-205-0x0000000000000000-mapping.dmp

Download
memory/680-247-0x0000000000000000-mapping.dmp

Download
memory/836-81-0x0000000000000000-mapping.dmp

Download
memory/836-181-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/836-183-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/836-171-0x0000000000000000-mapping.dmp

Download
memory/852-177-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/852-164-0x000000000040242D-mapping.dmp

Download
memory/904-277-0x0000000000000000-mapping.dmp

Download
memory/904-293-0x0000000000000000-mapping.dmp

Download
memory/904-214-0x000000000040242D-mapping.dmp

Download
memory/912-246-0x0000000000000000-mapping.dmp

Download
memory/944-265-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/944-270-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/944-253-0x0000000000000000-mapping.dmp

Download
memory/944-220-0x0000000000000000-mapping.dmp

Download
memory/952-190-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/952-158-0x0000000000000000-mapping.dmp

Download
memory/952-192-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/972-202-0x000000000040242D-mapping.dmp

Download
memory/1080-59-0x00000000768B1000-0x00000000768B3000-memory.dmp

Filesize
8KB

Download
memory/1112-178-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/1112-107-0x000000000047D4A0-mapping.dmp

Download
memory/1112-132-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1140-278-0x0000000000000000-mapping.dmp

Download
memory/1140-241-0x0000000000000000-mapping.dmp

Download
memory/1148-152-0x0000000000000000-mapping.dmp

Download
memory/1284-285-0x0000000000000000-mapping.dmp

Download
memory/1300-198-0x0000000000000000-mapping.dmp

Download
memory/1300-224-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1300-222-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1320-307-0x0000000000000000-mapping.dmp

Download
memory/1320-298-0x0000000000000000-mapping.dmp

Download
memory/1352-84-0x0000000000000000-mapping.dmp

Download
memory/1368-237-0x0000000000000000-mapping.dmp

Download
memory/1420-140-0x0000000000000000-mapping.dmp

Download
memory/1468-311-0x000000000040242D-mapping.dmp

Download
memory/1468-273-0x0000000000000000-mapping.dmp

Download
memory/1468-248-0x0000000000000000-mapping.dmp

Download
memory/1500-280-0x0000000000000000-mapping.dmp

Download
memory/1532-283-0x000000000040242D-mapping.dmp

Download
memory/1532-244-0x0000000000000000-mapping.dmp

Download
memory/1532-296-0x0000000000000000-mapping.dmp

Download
memory/1544-91-0x0000000000000000-mapping.dmp

Download
memory/1544-131-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1544-129-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1548-128-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1548-88-0x0000000000000000-mapping.dmp

Download
memory/1560-258-0x0000000000000000-mapping.dmp

Download
memory/1560-289-0x0000000000000000-mapping.dmp

Download
memory/1564-165-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1564-137-0x0000000000000000-mapping.dmp

Download
memory/1564-176-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1616-309-0x0000000000000000-mapping.dmp

Download
memory/1636-142-0x0000000000000000-mapping.dmp

Download
memory/1636-180-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1636-185-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1640-172-0x0000000000000000-mapping.dmp

Download
memory/1684-252-0x000000000040242D-mapping.dmp

Download
memory/1700-284-0x0000000000000000-mapping.dmp

Download
memory/1704-236-0x0000000000000000-mapping.dmp

Download
memory/1740-113-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1740-68-0x0000000000000000-mapping.dmp

Download
memory/1744-76-0x0000000000000000-mapping.dmp

Download
memory/1744-114-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1744-124-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1772-263-0x0000000000000000-mapping.dmp

Download
memory/1772-272-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1792-240-0x000000000040242D-mapping.dmp

Download
memory/1812-303-0x0000000000000000-mapping.dmp

Download
memory/1812-257-0x0000000000000000-mapping.dmp

Download
memory/1832-256-0x000000000040242D-mapping.dmp

Download
memory/1836-235-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1836-218-0x0000000000000000-mapping.dmp

Download
memory/1840-262-0x000000000040242D-mapping.dmp

Download
memory/1840-302-0x000000000040242D-mapping.dmp

Download
memory/1980-77-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/1980-65-0x0000000000000000-mapping.dmp

Download
memory/1980-75-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1980-78-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2032-312-0x0000000000000000-mapping.dmp

Download
memory/2036-301-0x0000000000000000-mapping.dmp

Download
memory/2036-291-0x0000000000000000-mapping.dmp

Download
memory/2036-189-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2036-151-0x0000000000000000-mapping.dmp

Download