modiloader | 545c25bdd6d1a9cb3974974104bde506601c1e5738983869411897b91e6c0a24

Analysis

max time kernel
123s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16d21f6bd48d0425a8d1e4fd0059b45c.exe
Size

38KB
MD5

16d21f6bd48d0425a8d1e4fd0059b45c
SHA1

7cd44841eddb746946ba301613025dc092b2159d
SHA256

545c25bdd6d1a9cb3974974104bde506601c1e5738983869411897b91e6c0a24
SHA512

e48e126cde844e017d4e461b916207ba0fcb29c8d38b2cc2ae14349e741ee328f6c3c957abfac0369ff675a44a8f80e6778f627711079f79610535ce9b7a5ab9
SSDEEP

768:IkFZ0VdXeMaWDoOEN58MVkSJS0S0JEzuXCZWM+N1:IkUDXeM3pMTdS0GzuXAWM+N1

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 30 IoCs

resource	yara_rule
behavioral1/memory/2988-30-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/2548-42-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/2832-46-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/3028-51-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/2676-56-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/2468-61-0x0000000000220000-0x0000000000245000-memory.dmp	modiloader_stage2
behavioral1/memory/2572-64-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/2780-72-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/2844-75-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-80-0x0000000000320000-0x0000000000345000-memory.dmp	modiloader_stage2
behavioral1/memory/2540-89-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/2468-86-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-94-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-100-0x0000000000320000-0x0000000000345000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-98-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/684-104-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/1320-109-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/1320-116-0x0000000000220000-0x0000000000245000-memory.dmp	modiloader_stage2
behavioral1/memory/1636-117-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/1488-119-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/2424-123-0x00000000002B0000-0x00000000002D5000-memory.dmp	modiloader_stage2
behavioral1/memory/1876-121-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/2016-125-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/2364-131-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/2220-130-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/2344-129-0x0000000000220000-0x0000000000245000-memory.dmp	modiloader_stage2
behavioral1/memory/2372-124-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/2540-91-0x0000000000220000-0x000000000022A000-memory.dmp	modiloader_stage2
behavioral1/memory/2892-58-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral1/memory/2188-38-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
3200	svvosts.exe

Executes dropped EXE 64 IoCs

pid	Process
2188	svvosts.exe
2548	svvosts.exe
2832	svvosts.exe
3028	svvosts.exe
2676	svvosts.exe
2892	svvosts.exe
2572	svvosts.exe
2780	svvosts.exe
2844	svvosts.exe
2468	svvosts.exe
2540	cmd.exe
2960	svvosts.exe
1884	svvosts.exe
684	svvosts.exe
1320	svvosts.exe
1636	svvosts.exe
1488	svvosts.exe
1876	svvosts.exe
2372	svvosts.exe
2016	svvosts.exe
2220	svvosts.exe
2264	svvosts.exe
2248	svvosts.exe
2424	svvosts.exe
2344	svvosts.exe
2364	svvosts.exe
1824	svvosts.exe
1628	svvosts.exe
2400	svvosts.exe
640	svvosts.exe
1500	svvosts.exe
1516	svvosts.exe
1776	svvosts.exe
1812	svvosts.exe
1976	svvosts.exe
1836	svvosts.exe
1672	svvosts.exe
772	svvosts.exe
1604	svvosts.exe
2352	svvosts.exe
2520	svvosts.exe
1148	svvosts.exe
628	svvosts.exe
448	svvosts.exe
2440	svvosts.exe
2568	svvosts.exe
2712	svvosts.exe
1536	svvosts.exe
2416	svvosts.exe
1852	svvosts.exe
2316	svvosts.exe
1084	svvosts.exe
1344	svvosts.exe
1016	svvosts.exe
788	svvosts.exe
2168	svvosts.exe
300	svvosts.exe
2860	svvosts.exe
2312	svvosts.exe
652	svvosts.exe
2660	svvosts.exe
2904	svvosts.exe
1944	svvosts.exe
1936	svvosts.exe

Loads dropped DLL 64 IoCs

pid	Process
2988	16d21f6bd48d0425a8d1e4fd0059b45c.exe
2988	16d21f6bd48d0425a8d1e4fd0059b45c.exe
2188	svvosts.exe
2188	svvosts.exe
2548	svvosts.exe
2548	svvosts.exe
2832	svvosts.exe
2832	svvosts.exe
3028	svvosts.exe
3028	svvosts.exe
2676	svvosts.exe
2676	svvosts.exe
2892	svvosts.exe
2892	svvosts.exe
2572	svvosts.exe
2572	svvosts.exe
2780	svvosts.exe
2780	svvosts.exe
2844	svvosts.exe
2844	svvosts.exe
2468	svvosts.exe
2468	svvosts.exe
2540	cmd.exe
2540	cmd.exe
2960	svvosts.exe
2960	svvosts.exe
1884	svvosts.exe
1884	svvosts.exe
684	svvosts.exe
684	svvosts.exe
1320	svvosts.exe
1320	svvosts.exe
1636	svvosts.exe
1636	svvosts.exe
1488	svvosts.exe
1488	svvosts.exe
1876	svvosts.exe
1876	svvosts.exe
2372	svvosts.exe
2372	svvosts.exe
2016	svvosts.exe
2016	svvosts.exe
2220	svvosts.exe
2220	svvosts.exe
2264	svvosts.exe
2264	svvosts.exe
2248	svvosts.exe
2248	svvosts.exe
2424	svvosts.exe
2424	svvosts.exe
2344	svvosts.exe
2344	svvosts.exe
2364	svvosts.exe
2364	svvosts.exe
1824	svvosts.exe
1824	svvosts.exe
1628	svvosts.exe
1628	svvosts.exe
2400	svvosts.exe
2400	svvosts.exe
640	svvosts.exe
640	svvosts.exe
1500	svvosts.exe
1500	svvosts.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	cmd.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	conhost.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	Process not Found
File created	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	cmd.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	cmd.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	cmd.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	conhost.exe
File created	C:\Windows\SysWOW64\svvosts.exe	cmd.exe
File created	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	conhost.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	cmd.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	conhost.exe
File created	C:\Windows\SysWOW64\svvosts.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2188	2988	16d21f6bd48d0425a8d1e4fd0059b45c.exe	66
PID 2988 wrote to memory of 2188	2988	16d21f6bd48d0425a8d1e4fd0059b45c.exe	66
PID 2988 wrote to memory of 2188	2988	16d21f6bd48d0425a8d1e4fd0059b45c.exe	66
PID 2988 wrote to memory of 2188	2988	16d21f6bd48d0425a8d1e4fd0059b45c.exe	66
PID 2188 wrote to memory of 2548	2188	svvosts.exe	63
PID 2188 wrote to memory of 2548	2188	svvosts.exe	63
PID 2188 wrote to memory of 2548	2188	svvosts.exe	63
PID 2188 wrote to memory of 2548	2188	svvosts.exe	63
PID 2548 wrote to memory of 2832	2548	svvosts.exe	61
PID 2548 wrote to memory of 2832	2548	svvosts.exe	61
PID 2548 wrote to memory of 2832	2548	svvosts.exe	61
PID 2548 wrote to memory of 2832	2548	svvosts.exe	61
PID 2832 wrote to memory of 3028	2832	svvosts.exe	59
PID 2832 wrote to memory of 3028	2832	svvosts.exe	59
PID 2832 wrote to memory of 3028	2832	svvosts.exe	59
PID 2832 wrote to memory of 3028	2832	svvosts.exe	59
PID 3028 wrote to memory of 2676	3028	svvosts.exe	18
PID 3028 wrote to memory of 2676	3028	svvosts.exe	18
PID 3028 wrote to memory of 2676	3028	svvosts.exe	18
PID 3028 wrote to memory of 2676	3028	svvosts.exe	18
PID 2676 wrote to memory of 2892	2676	svvosts.exe	57
PID 2676 wrote to memory of 2892	2676	svvosts.exe	57
PID 2676 wrote to memory of 2892	2676	svvosts.exe	57
PID 2676 wrote to memory of 2892	2676	svvosts.exe	57
PID 2892 wrote to memory of 2572	2892	svvosts.exe	328
PID 2892 wrote to memory of 2572	2892	svvosts.exe	328
PID 2892 wrote to memory of 2572	2892	svvosts.exe	328
PID 2892 wrote to memory of 2572	2892	svvosts.exe	328
PID 2572 wrote to memory of 2780	2572	svvosts.exe	53
PID 2572 wrote to memory of 2780	2572	svvosts.exe	53
PID 2572 wrote to memory of 2780	2572	svvosts.exe	53
PID 2572 wrote to memory of 2780	2572	svvosts.exe	53
PID 2780 wrote to memory of 2844	2780	svvosts.exe	335
PID 2780 wrote to memory of 2844	2780	svvosts.exe	335
PID 2780 wrote to memory of 2844	2780	svvosts.exe	335
PID 2780 wrote to memory of 2844	2780	svvosts.exe	335
PID 2844 wrote to memory of 2468	2844	svvosts.exe	338
PID 2844 wrote to memory of 2468	2844	svvosts.exe	338
PID 2844 wrote to memory of 2468	2844	svvosts.exe	338
PID 2844 wrote to memory of 2468	2844	svvosts.exe	338
PID 2468 wrote to memory of 2540	2468	svvosts.exe	47
PID 2468 wrote to memory of 2540	2468	svvosts.exe	47
PID 2468 wrote to memory of 2540	2468	svvosts.exe	47
PID 2468 wrote to memory of 2540	2468	svvosts.exe	47
PID 2540 wrote to memory of 2960	2540	cmd.exe	359
PID 2540 wrote to memory of 2960	2540	cmd.exe	359
PID 2540 wrote to memory of 2960	2540	cmd.exe	359
PID 2540 wrote to memory of 2960	2540	cmd.exe	359
PID 2960 wrote to memory of 1884	2960	svvosts.exe	43
PID 2960 wrote to memory of 1884	2960	svvosts.exe	43
PID 2960 wrote to memory of 1884	2960	svvosts.exe	43
PID 2960 wrote to memory of 1884	2960	svvosts.exe	43
PID 1884 wrote to memory of 684	1884	svvosts.exe	19
PID 1884 wrote to memory of 684	1884	svvosts.exe	19
PID 1884 wrote to memory of 684	1884	svvosts.exe	19
PID 1884 wrote to memory of 684	1884	svvosts.exe	19
PID 684 wrote to memory of 1320	684	svvosts.exe	39
PID 684 wrote to memory of 1320	684	svvosts.exe	39
PID 684 wrote to memory of 1320	684	svvosts.exe	39
PID 684 wrote to memory of 1320	684	svvosts.exe	39
PID 1320 wrote to memory of 1636	1320	svvosts.exe	37
PID 1320 wrote to memory of 1636	1320	svvosts.exe	37
PID 1320 wrote to memory of 1636	1320	svvosts.exe	37
PID 1320 wrote to memory of 1636	1320	svvosts.exe	37

C:\Users\Admin\AppData\Local\Temp\16d21f6bd48d0425a8d1e4fd0059b45c.exe
"C:\Users\Admin\AppData\Local\Temp\16d21f6bd48d0425a8d1e4fd0059b45c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\svvosts.exe
  C:\Windows\system32\svvosts.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\SysWOW64\$$a.bat
    3⤵
    PID:3280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\$$a.bat
  2⤵
  PID:3200

C:\Windows\SysWOW64\svvosts.exe
C:\Windows\system32\svvosts.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\svvosts.exe
  C:\Windows\system32\svvosts.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\SysWOW64\$$a.bat
    3⤵
    PID:3592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\$$a.bat
  2⤵
  PID:3552

C:\Windows\SysWOW64\svvosts.exe
C:\Windows\system32\svvosts.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:684
- C:\Windows\SysWOW64\svvosts.exe
  C:\Windows\system32\svvosts.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1320

C:\Windows\SysWOW64\svvosts.exe
C:\Windows\system32\svvosts.exe
1⤵
PID:2372
- C:\Windows\SysWOW64\svvosts.exe
  C:\Windows\system32\svvosts.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2016

C:\Windows\SysWOW64\svvosts.exe
C:\Windows\system32\svvosts.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264
- C:\Windows\SysWOW64\svvosts.exe
  C:\Windows\system32\svvosts.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2248
- - C:\Windows\SysWOW64\svvosts.exe
    C:\Windows\system32\svvosts.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2424
  - - C:\Windows\SysWOW64\svvosts.exe
      C:\Windows\system32\svvosts.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2344

C:\Windows\SysWOW64\svvosts.exe
C:\Windows\system32\svvosts.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220

C:\Windows\SysWOW64\svvosts.exe
C:\Windows\system32\svvosts.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824
- C:\Windows\SysWOW64\svvosts.exe
  C:\Windows\system32\svvosts.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1628
- - C:\Windows\SysWOW64\svvosts.exe
    C:\Windows\system32\svvosts.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2400
  - - C:\Windows\SysWOW64\svvosts.exe
      C:\Windows\system32\svvosts.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:640
    - - C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1500
      - C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        6⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        7⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        8⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        9⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        10⤵
        Executes dropped EXE
        
        PID:1836
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        11⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        12⤵
        Executes dropped EXE
        
        PID:772
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        13⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        15⤵
        Executes dropped EXE
        
        PID:2520
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        16⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        17⤵
        Executes dropped EXE
        
        PID:628
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        18⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        19⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2568
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        21⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        22⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        23⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        24⤵
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        25⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        27⤵
        Executes dropped EXE
        
        PID:1344
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        28⤵
        Executes dropped EXE
        
        PID:1016
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        29⤵
        Executes dropped EXE
        
        PID:788
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2168
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        31⤵
        Executes dropped EXE
        
        PID:300
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        33⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        34⤵
        Executes dropped EXE
        
        PID:652
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        35⤵
        Executes dropped EXE
        
        PID:2660
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        36⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        37⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        38⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        39⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        40⤵
        
        PID:328
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        41⤵
        Drops file in System32 directory
        
        PID:340
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        42⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        43⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        44⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        45⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        46⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        47⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        48⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        49⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        50⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        51⤵
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        52⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        53⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        54⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        55⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        56⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        57⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        58⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        59⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        60⤵
        
        PID:896
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        61⤵
        
        PID:704
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        62⤵
        
        PID:860
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        63⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        64⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        65⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        66⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        67⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        68⤵
        
        PID:844
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        69⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        70⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        71⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        72⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        73⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        74⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        75⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        76⤵
        
        PID:592
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        77⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        78⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        79⤵
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        80⤵
        
        PID:984
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        81⤵
        Drops file in System32 directory
        
        PID:2044
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        82⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        83⤵
        
        PID:964
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        84⤵
        Drops file in System32 directory
        
        PID:1348
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        85⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        86⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        87⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        88⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        89⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        90⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        91⤵
        Drops file in System32 directory
        
        PID:3068
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        92⤵
        Drops file in System32 directory
        
        PID:952
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        93⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        94⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        95⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        96⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        97⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        98⤵
        
        PID:476
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        99⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        100⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        101⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        102⤵
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        103⤵
        
        PID:852
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        104⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        105⤵
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        106⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        107⤵
        
        PID:112
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        108⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        109⤵
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        110⤵
        
        PID:768
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        111⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        112⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        113⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        114⤵
        
        PID:332
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        115⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        116⤵
        
        PID:276
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        117⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        118⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        119⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        120⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        121⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        122⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        123⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        124⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        125⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        126⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        127⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        128⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        129⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        130⤵
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        131⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        132⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        133⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        134⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        135⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        136⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        137⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        138⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        139⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        140⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        141⤵
        Drops file in System32 directory
        
        PID:1060
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        142⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        143⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        144⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        145⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        146⤵
        
        PID:948
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        147⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        148⤵
        Drops file in System32 directory
        
        PID:604
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        149⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        150⤵
        Drops file in System32 directory
        
        PID:2724
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        151⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        152⤵
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        153⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        154⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        155⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        156⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        157⤵
        Drops file in System32 directory
        
        PID:2480
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        158⤵
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        159⤵
        Drops file in System32 directory
        
        PID:600
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        160⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        161⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        162⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        163⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        164⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        165⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        166⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        167⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        168⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        169⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        170⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        171⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        172⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        173⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        174⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        173⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        172⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        171⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        170⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        169⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        168⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        167⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        166⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        165⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        164⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        163⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        162⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        161⤵
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        160⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        159⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        158⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        157⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        156⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        155⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        154⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        153⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        152⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        151⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        150⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        149⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        148⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        147⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        146⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        145⤵
        Drops file in System32 directory
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        144⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        143⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        142⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        141⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        140⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        139⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        138⤵
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        137⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        136⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        135⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        134⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        133⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        132⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        131⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        130⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        129⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        128⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        127⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        125⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        124⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        123⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        122⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        121⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        120⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        119⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        117⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        116⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        115⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        114⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        113⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        112⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        111⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        110⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        107⤵
        
        PID:1196

C:\Windows\SysWOW64\svvosts.exe
C:\Windows\system32\svvosts.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2364

C:\Windows\SysWOW64\svvosts.exe
C:\Windows\system32\svvosts.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876

C:\Windows\SysWOW64\svvosts.exe
C:\Windows\system32\svvosts.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488

C:\Windows\SysWOW64\svvosts.exe
C:\Windows\system32\svvosts.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636

C:\Windows\SysWOW64\svvosts.exe
C:\Windows\system32\svvosts.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\svvosts.exe
C:\Windows\system32\svvosts.exe
1⤵
PID:2960

C:\Windows\SysWOW64\svvosts.exe
C:\Windows\system32\svvosts.exe
1⤵
PID:2540

C:\Windows\SysWOW64\svvosts.exe
C:\Windows\system32\svvosts.exe
1⤵
PID:2468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\$$a.bat
  2⤵
  PID:3812

C:\Windows\SysWOW64\svvosts.exe
C:\Windows\system32\svvosts.exe
1⤵
PID:2844

C:\Windows\SysWOW64\svvosts.exe
C:\Windows\system32\svvosts.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\$$a.bat
  2⤵
  PID:3688

C:\Windows\SysWOW64\svvosts.exe
C:\Windows\system32\svvosts.exe
1⤵
PID:2572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\$$a.bat
  2⤵
  PID:3640

C:\Windows\SysWOW64\svvosts.exe
C:\Windows\system32\svvosts.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\$$a.bat
  2⤵
  PID:3492

C:\Windows\SysWOW64\svvosts.exe
C:\Windows\system32\svvosts.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\$$a.bat
  2⤵
  PID:3416

C:\Windows\SysWOW64\svvosts.exe
C:\Windows\system32\svvosts.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\$$a.bat
  2⤵
  PID:3324

C:\Windows\SysWOW64\svvosts.exe
C:\Windows\system32\svvosts.exe
1⤵
PID:3336
- C:\Windows\SysWOW64\svvosts.exe
  C:\Windows\system32\svvosts.exe
  2⤵
  PID:3428
- - C:\Windows\SysWOW64\svvosts.exe
    C:\Windows\system32\svvosts.exe
    3⤵
    - Drops file in System32 directory
    PID:3504
  - - C:\Windows\SysWOW64\svvosts.exe
      C:\Windows\system32\svvosts.exe
      4⤵
      PID:3604
    - - C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        5⤵
        
        PID:3652
      - C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        6⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        7⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        8⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        9⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        10⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        11⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        12⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        13⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        14⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        15⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        16⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        17⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        18⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        19⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        20⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        21⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        22⤵
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        23⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        24⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        25⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        26⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        27⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        28⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        29⤵
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        30⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        31⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        32⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        33⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        34⤵
        
        PID:280
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        35⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        36⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        37⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        38⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        39⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        40⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        41⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        42⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        43⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        44⤵
        Deletes itself
        
        PID:3200
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        45⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        46⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        47⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        48⤵
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        49⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        50⤵
        Drops file in System32 directory
        
        PID:3332
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        51⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        52⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        53⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        54⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        55⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        56⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        57⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        58⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        59⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        60⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        61⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        62⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        63⤵
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        64⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        65⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        66⤵
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        67⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        68⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        69⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        70⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        71⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        72⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        73⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        74⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        75⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        76⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        77⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        78⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        79⤵
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        80⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        81⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        82⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        83⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        84⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        85⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        86⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        87⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        88⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        89⤵
        Drops file in System32 directory
        
        PID:3804
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        90⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        91⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        92⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        93⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        94⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        95⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        96⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        97⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        98⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        99⤵
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        100⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        101⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        102⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2372
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        103⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        104⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        105⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        106⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        107⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        108⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        109⤵
        Drops file in System32 directory
        
        PID:3364
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        110⤵
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        111⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        112⤵
        Drops file in System32 directory
        
        PID:3528
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        113⤵
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        114⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        115⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        116⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        117⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        118⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        119⤵
        Drops file in System32 directory
        
        PID:3868
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        120⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        121⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        122⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        123⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        124⤵
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        125⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        126⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        127⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        128⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        129⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        130⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        131⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        132⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        133⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        134⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        135⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        136⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        137⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        138⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        139⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        140⤵
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        141⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        142⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        143⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        144⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        145⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        146⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        145⤵
        Drops file in System32 directory
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        144⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        143⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        142⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        141⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        140⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        139⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        138⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        137⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        136⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        135⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        134⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        133⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        132⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        131⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        130⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        129⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        128⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        127⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        126⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        125⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        124⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        123⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        122⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        121⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        120⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        119⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        118⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        117⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        116⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        115⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        114⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        113⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        112⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        111⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        110⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        109⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        108⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        107⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        106⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        105⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        104⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        103⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        102⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        101⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        100⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        99⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        98⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        97⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        96⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        95⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        94⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        93⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        92⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        91⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        90⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        89⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        88⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        87⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        86⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        85⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        84⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        83⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        82⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        81⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        80⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        79⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        78⤵
        Drops file in System32 directory
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        77⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        76⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        75⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        74⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        73⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        72⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        71⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        70⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        69⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        68⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        67⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        66⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        65⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        64⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        63⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        62⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        61⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        60⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        59⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        58⤵
        Drops file in System32 directory
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        57⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        56⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        55⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        54⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        53⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        52⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        51⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        50⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        49⤵
        Drops file in System32 directory
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        48⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        47⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        46⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        45⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        44⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        43⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        42⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        41⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        40⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        39⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        38⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        37⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        36⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        35⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        34⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        33⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        32⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        31⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        30⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        29⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        28⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        27⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        26⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        25⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        24⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        23⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        22⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        21⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        20⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        19⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        18⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        17⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        16⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        15⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        14⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        13⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        12⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        11⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        10⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        9⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        8⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        7⤵
        
        PID:5352
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        6⤵
        
        PID:5296
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        5⤵
        
        PID:5236
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\SysWOW64\$$a.bat
      4⤵
      PID:5180
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\SysWOW64\$$a.bat
    3⤵
    PID:5124
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\$$a.bat
  2⤵
  PID:3124

C:\Windows\SysWOW64\svvosts.exe
C:\Windows\system32\svvosts.exe
1⤵
PID:276
- C:\Windows\SysWOW64\svvosts.exe
  C:\Windows\system32\svvosts.exe
  2⤵
  PID:2240
- - C:\Windows\SysWOW64\svvosts.exe
    C:\Windows\system32\svvosts.exe
    3⤵
    PID:4604
  - - C:\Windows\SysWOW64\svvosts.exe
      C:\Windows\system32\svvosts.exe
      4⤵
      PID:4656
    - - C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        5⤵
        
        PID:4720
      - C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        6⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        7⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        8⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        9⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        10⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        11⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        12⤵
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        13⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        14⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        15⤵
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        16⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        17⤵
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        18⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        19⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        20⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        21⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        22⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        23⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        24⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        25⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        26⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        27⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        28⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        29⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        30⤵
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        31⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        32⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        33⤵
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        34⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        35⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        36⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        37⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        38⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        32⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        31⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        30⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        29⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        28⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        27⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        26⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        25⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        24⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        23⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        22⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        21⤵
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        20⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        19⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        18⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        17⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        16⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        15⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        14⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        13⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        12⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        11⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        10⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        9⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        8⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        7⤵
        Drops file in System32 directory
        
        PID:4188
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        6⤵
        
        PID:6768
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$a.bat
        5⤵
        
        PID:3592
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\SysWOW64\$$a.bat
      4⤵
      PID:6452
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\SysWOW64\$$a.bat
    3⤵
    PID:4916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\$$a.bat
  2⤵
  PID:3304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14204767951860694336-2898361841003051439-2591517101129109193-443695694-1489919570"
1⤵
PID:1752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "78518496115612155492127018137-117227358-58500815600949961134606807350525146"
1⤵
PID:2692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1456321529-1156224310-187366918-209233394598852062583394636-6505746811805329652"
1⤵
- Drops file in System32 directory
PID:2236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7381817923672054566631668458416321611093665455-83550762-2076782712-1156263664"
1⤵
PID:2024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17334820871276623947256263884-1914612156914434291197459629-31303630-2087630793"
1⤵
- Drops file in System32 directory
PID:2348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-675869557-76416929-334559561198918199-1692335909-11202265232125006519-1399185581"
1⤵
PID:768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1029504618820073482-1015408390-1102971648957528490-14688594511124105636-1439400923"
1⤵
PID:2744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1955903882-1401044925806994543-356020242526988356-8484318171739379169-1055864528"
1⤵
- Drops file in System32 directory
PID:1112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-325023061-6297089972084782951824315850-838939214-937532955897777312456267833"
1⤵
PID:3088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1347880069-989830921-166905014222463117866024569618084321612065446667-530963851"
1⤵
PID:3116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4448146876500888636724824102133047339736576421-19146827129921374642022586386"
1⤵
PID:3764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "464441576-1687645082144287151-779884221-19825110-500403180-117536728-1824088069"
1⤵
PID:3936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1404031508-10693576081440143801663754949-9490586129252635361706131707-432900260"
1⤵
PID:3852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1047775542-815503322-144972887816249172761387573983-868975998-1840949975114820898"
1⤵
PID:3924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1897956664-12269596271845156879928656443-2133853453-934589901-102417264-776572485"
1⤵
PID:3872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2025418001-19622194221184008485692496858-369020800-2098441159-528843883-972058303"
1⤵
PID:3264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1888514349-1477856959336798681-17453112421753718415271422853-1066789528-1902189280"
1⤵
PID:3396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "428736646-22139423918313394971320884278-1585690726-1718495709168457683585577967"
1⤵
PID:3388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2049630762122419214246872385-1802225675-2102615384-1716021072-8958769341642072879"
1⤵
PID:3600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "583160240-720454756-1443811114-9540800601502737548-2079424017-334694109267233319"
1⤵
PID:3424

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20899711401597688190-1958597995177990060-918624757-63781884518057561711953783623"
1⤵
PID:3524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5861659671665161944135107266-1509880786-1380336007774139685-609604897-876305092"
1⤵
PID:3684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1172522896-426329026-793807974-152973603316509163555534937431343724791-634924021"
1⤵
- Drops file in System32 directory
PID:3744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7576717241460170110341563783-1820547642-1187603928326860360-1405705923-1799168145"
1⤵
PID:3668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "270973902480267689-2087688316-1828734594-938610151-934316166-2075332724-802438483"
1⤵
PID:3912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5736247899758139107520749-87718180-2071012784-1725068430-657603014-1807824540"
1⤵
PID:3688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-105586365912973379781722508581-1370271812590823215-1855110913-1010054679-1484735154"
1⤵
PID:4144

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2035247341719832680-1539725331263250251-9278664401363502740-454709214-984220370"
1⤵
PID:3244

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "756461397160095369511826647261717997689-1118992289-2024644074695940127434548280"
1⤵
- Drops file in System32 directory
PID:2952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2102548368-19606175181320130159-2063028355-2024344809536739703-322178855-16161771"
1⤵
PID:4248

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-140426304-70341005316338989933413870-1972285398-1620961715456625570566128095"
1⤵
PID:3760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1345693449209506357414440652631618895496448442881291279107-19501787171862087759"
1⤵
PID:4436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9631465111756483261558926977204554830619186959811084424648-2140492193581191152"
1⤵
PID:2760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "581087471-1886311071213184011553731778-17795590954835226351232588991053261893"
1⤵
PID:4720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a.bat

Filesize
230B

MD5
8caae81177c4398ce83a388cfa017e70

SHA1
e2da3f80c67a3d8a3de9b7141982ba6f9a60d132

SHA256
ef534fd7eb08c1402686bc1782b66596adb5b1b48d9f3069eab2893e427b2d0a

SHA512
52259a37812ff5a29c4865a49825473e29a1e4b3e237e42fdb5bf5cddc5c5c4e2c5a50b9eaf0dbfd58c5b532a65dd96cf291fdf583393fd7cad8ae36eaec9c68

Download Submit
C:\Windows\SysWOW64\$$a.bat

Filesize
138B

MD5
24e2508adf76e03df7c0b8b02b14e306

SHA1
a806407abfaab6abf558f5fedcef1de7ed32440a

SHA256
d70726fcf7788a8b4b1c63f4ec32cb4fe6041bffbe5f6b00a394829918494e3a

SHA512
5e7619105c26e575e854737126d6f22d8bbda0e0126c1531983b29fe2770e51b6ddb781de0a3bd97dd784c1360526975d2c91888e026126f5a2c8d0e0ff650cd

Download Submit
C:\Windows\SysWOW64\svvosts.exe

Filesize
38KB

MD5
16d21f6bd48d0425a8d1e4fd0059b45c

SHA1
7cd44841eddb746946ba301613025dc092b2159d

SHA256
545c25bdd6d1a9cb3974974104bde506601c1e5738983869411897b91e6c0a24

SHA512
e48e126cde844e017d4e461b916207ba0fcb29c8d38b2cc2ae14349e741ee328f6c3c957abfac0369ff675a44a8f80e6778f627711079f79610535ce9b7a5ab9

Download Submit
memory/684-104-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1320-116-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/1320-110-0x0000000000220000-0x0000000000320000-memory.dmp

Filesize
1024KB

Download
memory/1320-109-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1488-119-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1636-117-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1876-121-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1876-105-0x00000000002B0000-0x00000000002D5000-memory.dmp

Filesize
148KB

Download
memory/1884-98-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1884-100-0x0000000000320000-0x0000000000345000-memory.dmp

Filesize
148KB

Download
memory/1884-78-0x0000000000320000-0x0000000000345000-memory.dmp

Filesize
148KB

Download
memory/1884-80-0x0000000000320000-0x0000000000345000-memory.dmp

Filesize
148KB

Download
memory/2016-125-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2016-112-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2016-115-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/2016-126-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2016-132-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/2188-41-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2188-38-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2188-14-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2188-17-0x0000000000530000-0x0000000000555000-memory.dmp

Filesize
148KB

Download
memory/2220-130-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2248-120-0x0000000000220000-0x0000000000320000-memory.dmp

Filesize
1024KB

Download
memory/2264-118-0x00000000001B0000-0x00000000001D5000-memory.dmp

Filesize
148KB

Download
memory/2344-129-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/2344-127-0x0000000000220000-0x0000000000320000-memory.dmp

Filesize
1024KB

Download
memory/2344-128-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/2364-131-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2372-124-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2424-122-0x0000000000220000-0x0000000000320000-memory.dmp

Filesize
1024KB

Download
memory/2424-123-0x00000000002B0000-0x00000000002D5000-memory.dmp

Filesize
148KB

Download
memory/2468-86-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2468-61-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/2540-89-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2540-91-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2548-21-0x0000000000220000-0x0000000000320000-memory.dmp

Filesize
1024KB

Download
memory/2548-42-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2572-70-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/2572-47-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/2572-64-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2676-56-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2780-52-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2780-74-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2780-72-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2832-46-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2844-81-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2844-75-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2892-63-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2892-35-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2892-40-0x00000000001B0000-0x00000000001D5000-memory.dmp

Filesize
148KB

Download
memory/2892-58-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2960-96-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2960-94-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2960-73-0x00000000001B0000-0x00000000001D5000-memory.dmp

Filesize
148KB

Download
memory/2988-30-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2988-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2988-4-0x00000000003A0000-0x00000000003C5000-memory.dmp

Filesize
148KB

Download
memory/2988-1-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2988-33-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2988-11-0x00000000003A0000-0x00000000003C5000-memory.dmp

Filesize
148KB

Download
memory/3028-51-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3028-53-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/3028-26-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/3028-25-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download