modiloader | 545c25bdd6d1a9cb3974974104bde506601c1e5738983869411897b91e6c0a24

Analysis

max time kernel
103s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16d21f6bd48d0425a8d1e4fd0059b45c.exe
Size

38KB
MD5

16d21f6bd48d0425a8d1e4fd0059b45c
SHA1

7cd44841eddb746946ba301613025dc092b2159d
SHA256

545c25bdd6d1a9cb3974974104bde506601c1e5738983869411897b91e6c0a24
SHA512

e48e126cde844e017d4e461b916207ba0fcb29c8d38b2cc2ae14349e741ee328f6c3c957abfac0369ff675a44a8f80e6778f627711079f79610535ce9b7a5ab9
SSDEEP

768:IkFZ0VdXeMaWDoOEN58MVkSJS0S0JEzuXCZWM+N1:IkUDXeM3pMTdS0GzuXAWM+N1

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 30 IoCs

resource	yara_rule
behavioral2/memory/4988-13-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/2032-17-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/4664-19-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/440-21-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/4852-24-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/1524-27-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/2584-29-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/4928-32-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/972-35-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/4632-37-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/1360-41-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/3588-43-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/5048-45-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/3096-48-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/2464-51-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/4088-52-0x0000000002030000-0x0000000002130000-memory.dmp	modiloader_stage2
behavioral2/memory/2740-56-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/4504-54-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/2044-60-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/1632-63-0x0000000002030000-0x0000000002130000-memory.dmp	modiloader_stage2
behavioral2/memory/3700-61-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/4088-67-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/4388-71-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/2280-75-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/1632-79-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/3228-81-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/2964-85-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/1172-89-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/5084-93-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2
behavioral2/memory/368-96-0x0000000000400000-0x0000000000425000-memory.dmp	modiloader_stage2

Executes dropped EXE 64 IoCs

pid	Process
2032	svvosts.exe
4664	svvosts.exe
440	svvosts.exe
4852	svvosts.exe
1524	svvosts.exe
2584	svvosts.exe
4928	svvosts.exe
972	svvosts.exe
4632	svvosts.exe
1360	svvosts.exe
3588	svvosts.exe
5048	svvosts.exe
3096	svvosts.exe
2464	svvosts.exe
4504	svvosts.exe
2740	svvosts.exe
2044	svvosts.exe
3700	svvosts.exe
4088	svvosts.exe
4388	svvosts.exe
2280	svvosts.exe
1632	svvosts.exe
3228	svvosts.exe
2964	svvosts.exe
1172	svvosts.exe
5084	svvosts.exe
368	svvosts.exe
4280	svvosts.exe
5032	svvosts.exe
1864	svvosts.exe
844	svvosts.exe
4764	svvosts.exe
4924	svvosts.exe
208	svvosts.exe
4292	svvosts.exe
2024	svvosts.exe
2120	svvosts.exe
3748	svvosts.exe
4980	svvosts.exe
1496	svvosts.exe
4740	svvosts.exe
1792	svvosts.exe
1536	svvosts.exe
4312	svvosts.exe
1736	svvosts.exe
4788	svvosts.exe
1532	svvosts.exe
3088	svvosts.exe
944	svvosts.exe
2020	svvosts.exe
4288	svvosts.exe
4344	svvosts.exe
4264	svvosts.exe
5076	svvosts.exe
5116	svvosts.exe
1348	svvosts.exe
4540	svvosts.exe
1156	svvosts.exe
3944	svvosts.exe
3300	svvosts.exe
4784	svvosts.exe
3172	svvosts.exe
3528	svvosts.exe
3468	svvosts.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File created	C:\Windows\SysWOW64\svvosts.exe	svvosts.exe
File opened for modification	C:\Windows\SysWOW64\$$a.bat	svvosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 2032	4988	16d21f6bd48d0425a8d1e4fd0059b45c.exe	91
PID 4988 wrote to memory of 2032	4988	16d21f6bd48d0425a8d1e4fd0059b45c.exe	91
PID 4988 wrote to memory of 2032	4988	16d21f6bd48d0425a8d1e4fd0059b45c.exe	91
PID 2032 wrote to memory of 4664	2032	svvosts.exe	93
PID 2032 wrote to memory of 4664	2032	svvosts.exe	93
PID 2032 wrote to memory of 4664	2032	svvosts.exe	93
PID 4664 wrote to memory of 440	4664	svvosts.exe	94
PID 4664 wrote to memory of 440	4664	svvosts.exe	94
PID 4664 wrote to memory of 440	4664	svvosts.exe	94
PID 440 wrote to memory of 4852	440	svvosts.exe	96
PID 440 wrote to memory of 4852	440	svvosts.exe	96
PID 440 wrote to memory of 4852	440	svvosts.exe	96
PID 4852 wrote to memory of 1524	4852	svvosts.exe	97
PID 4852 wrote to memory of 1524	4852	svvosts.exe	97
PID 4852 wrote to memory of 1524	4852	svvosts.exe	97
PID 1524 wrote to memory of 2584	1524	svvosts.exe	98
PID 1524 wrote to memory of 2584	1524	svvosts.exe	98
PID 1524 wrote to memory of 2584	1524	svvosts.exe	98
PID 2584 wrote to memory of 4928	2584	svvosts.exe	99
PID 2584 wrote to memory of 4928	2584	svvosts.exe	99
PID 2584 wrote to memory of 4928	2584	svvosts.exe	99
PID 4928 wrote to memory of 972	4928	svvosts.exe	100
PID 4928 wrote to memory of 972	4928	svvosts.exe	100
PID 4928 wrote to memory of 972	4928	svvosts.exe	100
PID 972 wrote to memory of 4632	972	svvosts.exe	101
PID 972 wrote to memory of 4632	972	svvosts.exe	101
PID 972 wrote to memory of 4632	972	svvosts.exe	101
PID 4632 wrote to memory of 1360	4632	svvosts.exe	102
PID 4632 wrote to memory of 1360	4632	svvosts.exe	102
PID 4632 wrote to memory of 1360	4632	svvosts.exe	102
PID 1360 wrote to memory of 3588	1360	svvosts.exe	103
PID 1360 wrote to memory of 3588	1360	svvosts.exe	103
PID 1360 wrote to memory of 3588	1360	svvosts.exe	103
PID 3588 wrote to memory of 5048	3588	svvosts.exe	104
PID 3588 wrote to memory of 5048	3588	svvosts.exe	104
PID 3588 wrote to memory of 5048	3588	svvosts.exe	104
PID 5048 wrote to memory of 3096	5048	svvosts.exe	105
PID 5048 wrote to memory of 3096	5048	svvosts.exe	105
PID 5048 wrote to memory of 3096	5048	svvosts.exe	105
PID 3096 wrote to memory of 2464	3096	svvosts.exe	106
PID 3096 wrote to memory of 2464	3096	svvosts.exe	106
PID 3096 wrote to memory of 2464	3096	svvosts.exe	106
PID 2464 wrote to memory of 4504	2464	svvosts.exe	107
PID 2464 wrote to memory of 4504	2464	svvosts.exe	107
PID 2464 wrote to memory of 4504	2464	svvosts.exe	107
PID 4504 wrote to memory of 2740	4504	svvosts.exe	108
PID 4504 wrote to memory of 2740	4504	svvosts.exe	108
PID 4504 wrote to memory of 2740	4504	svvosts.exe	108
PID 2740 wrote to memory of 2044	2740	svvosts.exe	109
PID 2740 wrote to memory of 2044	2740	svvosts.exe	109
PID 2740 wrote to memory of 2044	2740	svvosts.exe	109
PID 2044 wrote to memory of 3700	2044	svvosts.exe	110
PID 2044 wrote to memory of 3700	2044	svvosts.exe	110
PID 2044 wrote to memory of 3700	2044	svvosts.exe	110
PID 3700 wrote to memory of 4088	3700	svvosts.exe	111
PID 3700 wrote to memory of 4088	3700	svvosts.exe	111
PID 3700 wrote to memory of 4088	3700	svvosts.exe	111
PID 4088 wrote to memory of 4388	4088	svvosts.exe	112
PID 4088 wrote to memory of 4388	4088	svvosts.exe	112
PID 4088 wrote to memory of 4388	4088	svvosts.exe	112
PID 4388 wrote to memory of 2280	4388	svvosts.exe	113
PID 4388 wrote to memory of 2280	4388	svvosts.exe	113
PID 4388 wrote to memory of 2280	4388	svvosts.exe	113
PID 2280 wrote to memory of 1632	2280	svvosts.exe	114

C:\Users\Admin\AppData\Local\Temp\16d21f6bd48d0425a8d1e4fd0059b45c.exe
"C:\Users\Admin\AppData\Local\Temp\16d21f6bd48d0425a8d1e4fd0059b45c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\SysWOW64\svvosts.exe
  C:\Windows\system32\svvosts.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\svvosts.exe
    C:\Windows\system32\svvosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\Windows\SysWOW64\svvosts.exe
      C:\Windows\system32\svvosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:440
    - - C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4852
      - C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1632
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        24⤵
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        25⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        26⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:368
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        29⤵
        Executes dropped EXE
        
        PID:4280
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        30⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1864
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:844
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        33⤵
        Executes dropped EXE
        
        PID:4764
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        35⤵
        Executes dropped EXE
        
        PID:208
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        36⤵
        Executes dropped EXE
        
        PID:4292
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        37⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        38⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3748
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        40⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4740
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        43⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        44⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        45⤵
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        47⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        48⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        50⤵
        Executes dropped EXE
        
        PID:944
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        51⤵
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        52⤵
        Executes dropped EXE
        
        PID:4288
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        53⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        54⤵
        Executes dropped EXE
        
        PID:4264
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5076
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        56⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        57⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4540
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        59⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        60⤵
        Executes dropped EXE
        
        PID:3944
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        61⤵
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        63⤵
        Executes dropped EXE
        
        PID:3172
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        64⤵
        Executes dropped EXE
        
        PID:3528
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        65⤵
        Executes dropped EXE
        
        PID:3468
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        66⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        67⤵
        Drops file in System32 directory
        
        PID:3580
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        68⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        69⤵
        
        PID:516
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        70⤵
        Drops file in System32 directory
        
        PID:4728
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        71⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        72⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        73⤵
        Drops file in System32 directory
        
        PID:1768
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        74⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        75⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        76⤵
        Drops file in System32 directory
        
        PID:216
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        77⤵
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        78⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        79⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        80⤵
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        81⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        82⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        83⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        84⤵
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        85⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        86⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        87⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        88⤵
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        89⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        90⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        91⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        92⤵
        
        PID:540
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        93⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        94⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        95⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        96⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        97⤵
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        98⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        99⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        100⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        101⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        102⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        103⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        104⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        105⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        106⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        107⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        108⤵
        Drops file in System32 directory
        
        PID:6732
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        109⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        110⤵
        Drops file in System32 directory
        
        PID:6840
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        111⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        112⤵
        Drops file in System32 directory
        
        PID:6896
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        113⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        114⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        115⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        116⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        117⤵
        Drops file in System32 directory
        
        PID:7124
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        118⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        119⤵
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        120⤵
        Drops file in System32 directory
        
        PID:6540
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        121⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        122⤵
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        123⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        124⤵
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        125⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        126⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        127⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        128⤵
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        129⤵
        
        PID:536
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        130⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        131⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        132⤵
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        133⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        134⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        135⤵
        Drops file in System32 directory
        
        PID:7352
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        136⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        137⤵
        Drops file in System32 directory
        
        PID:7568
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        138⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        139⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        140⤵
        Drops file in System32 directory
        
        PID:7836
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        141⤵
        Drops file in System32 directory
        
        PID:7928
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        142⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        143⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        144⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        145⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        146⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        147⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        148⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        149⤵
        Drops file in System32 directory
        
        PID:7692
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        150⤵
        Drops file in System32 directory
        
        PID:7876
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        151⤵
        Drops file in System32 directory
        
        PID:8016
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        152⤵
        Drops file in System32 directory
        
        PID:8120
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        153⤵
        
        PID:756
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        154⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        155⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        156⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        157⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        158⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        159⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        160⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        161⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        162⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        163⤵
        Drops file in System32 directory
        
        PID:3616
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        164⤵
        Drops file in System32 directory
        
        PID:8096
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        165⤵
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        166⤵
        Drops file in System32 directory
        
        PID:3504
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        167⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        168⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        169⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        170⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        171⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        172⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        173⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        174⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        175⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        176⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        177⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        178⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        179⤵
        Drops file in System32 directory
        
        PID:8572
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        180⤵
        
        PID:9208
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        181⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        182⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        183⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        184⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        185⤵
        Drops file in System32 directory
        
        PID:8864
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        186⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        187⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        188⤵
        Drops file in System32 directory
        
        PID:4864
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        189⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        190⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        191⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        192⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        193⤵
        
        PID:9320
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        194⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        195⤵
        Drops file in System32 directory
        
        PID:9548
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        196⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        197⤵
        
        PID:9764
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        198⤵
        
        PID:9816
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        199⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        200⤵
        
        PID:9988
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        201⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        202⤵
        
        PID:10124
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        203⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        204⤵
        Drops file in System32 directory
        
        PID:9304
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        205⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        206⤵
        Drops file in System32 directory
        
        PID:9636
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        207⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        208⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        209⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        210⤵
        
        PID:10192
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        211⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        212⤵
        
        PID:624
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        213⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        214⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        215⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        216⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        217⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        218⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        219⤵
        
        PID:10276
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        220⤵
        
        PID:10380
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        221⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        222⤵
        
        PID:10524
        
        C:\Windows\SysWOW64\svvosts.exe
        
        C:\Windows\system32\svvosts.exe
        223⤵
        
        PID:10624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        166⤵
        
        PID:10652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        165⤵
        
        PID:10556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        164⤵
        
        PID:10496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        163⤵
        
        PID:10420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        162⤵
        
        PID:10340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        161⤵
        
        PID:10256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        160⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        159⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        158⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        157⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        156⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        155⤵
        
        PID:10120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        154⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        153⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        152⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        151⤵
        
        PID:10132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        150⤵
        
        PID:10028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        149⤵
        
        PID:9948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        148⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        147⤵
        
        PID:9712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        146⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        145⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        144⤵
        
        PID:9244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        143⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        142⤵
        
        PID:10112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        141⤵
        
        PID:10036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        140⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        139⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        138⤵
        
        PID:9792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        137⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        136⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        135⤵
        
        PID:9568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        134⤵
        
        PID:9496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        133⤵
        
        PID:9412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        132⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        130⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        129⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        128⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        127⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        126⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        125⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        124⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        123⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        122⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        121⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        120⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        119⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        118⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        117⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        116⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        115⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        114⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        113⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        112⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        111⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        110⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        109⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        108⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        107⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        106⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        105⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        104⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        103⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        102⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        101⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        100⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        99⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        98⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        97⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        96⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        95⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        94⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        93⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        92⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        90⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        89⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        88⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        87⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        86⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        85⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        84⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        83⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        82⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        81⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        80⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        79⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        78⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        77⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        76⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        75⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        74⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        73⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        72⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        71⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        70⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        69⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        68⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        67⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        66⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        65⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        64⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        62⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        61⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        59⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        58⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        57⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        56⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        55⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        54⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        53⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        52⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        51⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        50⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        49⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        48⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        47⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        46⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        45⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        44⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        43⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        42⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        40⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        39⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        38⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        37⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        36⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        35⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        34⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        33⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        32⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        31⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        30⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        29⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        28⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        23⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        22⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        21⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        20⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        19⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        18⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        17⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        16⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        15⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\$$a.bat
        7⤵
        
        PID:5668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a.bat
  2⤵
  PID:5640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\$$a.bat

Filesize
138B

MD5
24e2508adf76e03df7c0b8b02b14e306

SHA1
a806407abfaab6abf558f5fedcef1de7ed32440a

SHA256
d70726fcf7788a8b4b1c63f4ec32cb4fe6041bffbe5f6b00a394829918494e3a

SHA512
5e7619105c26e575e854737126d6f22d8bbda0e0126c1531983b29fe2770e51b6ddb781de0a3bd97dd784c1360526975d2c91888e026126f5a2c8d0e0ff650cd

Download Submit
C:\Windows\SysWOW64\svvosts.exe

Filesize
30KB

MD5
c6ed377235fb9f0283163094c8ac3ce9

SHA1
03e83b6c7c974e5826a2a0292ff94e0b1419f5cc

SHA256
94b74acff3f673c4550582c3f2b67ee1625132e033ed5c3e9bce52ad8eb25c4f

SHA512
f003303d96c60c5ae504d3a0d13e06b4bafb17c767ca982e170e29274da9649a40cf151cf26ce7f19babdb2522c7bb598afd0b134bf4222019c8e4425789738e

Download Submit
C:\Windows\SysWOW64\svvosts.exe

Filesize
6KB

MD5
8c840aa37aeca10ca9f310243d2b5758

SHA1
c519b93291749903e570b15e125d0f381658d759

SHA256
3c559d1f2235550b27d16bf71698d69ea9b125a3d2f5bd0298cbdf34419ec0e5

SHA512
697b046d7c58a9007e26f79c49de6e450bdb5cb154e25aa66d2297c637777c2f181ef59ba6b0637082d677d3715e039de5f4eead36f29594c549db91eda7abb2

Download Submit
C:\Windows\SysWOW64\svvosts.exe

Filesize
1KB

MD5
4268838d79e234ab3f1b888b5c4830e4

SHA1
e98c24324f0e56d8aaece83c9282c3d9f6854d5a

SHA256
8878880763fb16575e2132b3460fd03e80b36db480596248e23a7b0a2e72412d

SHA512
7320fd7782c5af81355537b8e29ba23947b8a068e497e4c91e7186a79c69ae16649c8fd7d6a291b60e6c12855500a293fda333a99bb6271b62c3af15642bb1fe

Download Submit
C:\Windows\SysWOW64\svvosts.exe

Filesize
33KB

MD5
ee2c285989677eb7fae76b7d28ba12df

SHA1
c59aab489d486d188221fc28cf744ec347631ea9

SHA256
863f2b51dff2156669d31fc23dee0221bd493cdf3ef62616ef86bcbb7e576374

SHA512
d9c6ec548239a31e07199b80429347684c798836e460c72efdf02d4e94d6d4f3c9ae78ea258b5eeacadef10aa1ea07e8455a59a7ba5b4cfb397b2820467557f2

Download Submit
C:\Windows\SysWOW64\svvosts.exe

Filesize
1KB

MD5
28bfa622f7a505a6a958f5cfe9908163

SHA1
aa20a953d1baa5a8525f87c196542ab0d8a74074

SHA256
5c95e31c9a047a3c89441ade34a06906544064e6455613101deea6f5257a0205

SHA512
4c38abc4bcf316cc0861ad9ba81589f7c1a2675f6bc3f5febc94104ff205e3b2685b02f5e3175a4b3b2ad9287c5b43ac5f1c103dc9dc8634e70ed299fc8ea548

Download Submit
C:\Windows\SysWOW64\svvosts.exe

Filesize
27KB

MD5
e477da7851fb2ec7f3eb2f49db607805

SHA1
bf4bdde2c0bbd73f12b841889b753422954a7155

SHA256
04a899b5acfec65e19cf311d07864f30ac994722bcf8b035c60ebd688bc5c40a

SHA512
fe58102e975117824b2bada3f556c4d7d3b4a90123a819c8d3b667e1c57c21d7e4c65ba4c33d73c52fc73dff0fc23eb56072bf2d8c03e8c42661526d1f68d408

Download Submit
C:\Windows\SysWOW64\svvosts.exe

Filesize
6KB

MD5
b5c765ca41a1094c0016f22332962584

SHA1
a7e2b810a46d5cff451503b45a70d9b84b4dec4f

SHA256
cf32487b9b5e7d9ca159d2b65ac84b3d0c4f1d14bab5c74441676e0620ac9d4a

SHA512
6b100a5555908da96ae09572672287e5e801808383a0237cdc97a41a5d09ea8702a5a6801a2964043206006f33f95c6da1be308321c87670a89f22f5e1ee1a4f

Download Submit
C:\Windows\SysWOW64\svvosts.exe

Filesize
36KB

MD5
ade1cccdd198ead18d78ae1b7293fa14

SHA1
d69cad520ce9ba95a4a2621579377489a6adbc5c

SHA256
0dd89714a9e8206221d5dccf72b538d4ab02ba2f9d2a5f892f7df5ca349c8ce5

SHA512
f9047623ca82161704010983f5d5e8ef7c2f1d5a8af963ee07d1b92f5c4ae9c6010f202a8efb8489c43f78a67475a1d4182eaebaa498f7e9f7ad30ba5f837d79

Download Submit
C:\Windows\SysWOW64\svvosts.exe

Filesize
38KB

MD5
16d21f6bd48d0425a8d1e4fd0059b45c

SHA1
7cd44841eddb746946ba301613025dc092b2159d

SHA256
545c25bdd6d1a9cb3974974104bde506601c1e5738983869411897b91e6c0a24

SHA512
e48e126cde844e017d4e461b916207ba0fcb29c8d38b2cc2ae14349e741ee328f6c3c957abfac0369ff675a44a8f80e6778f627711079f79610535ce9b7a5ab9

Download Submit
C:\Windows\SysWOW64\svvosts.exe

Filesize
33KB

MD5
75ed0894beb682824886e686fd90e34e

SHA1
b114801658b08fde28ab9206c38dc4c9ff6a6ac5

SHA256
faf46a2a014c9167eab588367dda8c0866a0b53f91a10d149ca94a9834729273

SHA512
a7c790f6e987b78f70bb60c0fb1352dac16355a5910ef29c884847cf2705afb28064223b74d491dbe4ccdccce9e6a7f28330d05d1cab7a7897ec4f434c5d489d

Download Submit
C:\Windows\SysWOW64\svvosts.exe

Filesize
23KB

MD5
46f80d51471dd085a83f17890e63af8e

SHA1
27e0bc58c2b1735f60cb0a977bbfd48205c846ff

SHA256
dc7cb0581a897a2dd8ec3bec08be84c7f87032ccd2ebedd7085a585afcd3b911

SHA512
391f529c361146c14920b531f8c85ff26e01d80b1068f00aaac8917f4a5c06e337733d0eb17f2c112a21a70a39c83b6433605c8b8dc1455ccf797413f1f929d8

Download Submit
C:\Windows\SysWOW64\svvosts.exe

Filesize
35KB

MD5
e4d7509b35acefa37fec49a3efb25812

SHA1
182f3c68af897759540d66feac234e417a4ea8a1

SHA256
cd63b6ed8b3df10736f198a51838a4ae3d2547380133a913490a2d8177d7c776

SHA512
c44fb4879b81ef8158cc991f86c6f5251d96dc6fcd2268a64b3e8677833d181b838b67f576fc4f19b23096c2d1e1598026b587e57013cb8fec8fb67e0598c873

Download Submit
C:\Windows\SysWOW64\svvosts.exe

Filesize
26KB

MD5
692735bdfc8777815ed8a591464e3cd7

SHA1
2956bc7456f813ed4d6fb353a81a9435e291500b

SHA256
57574adc6e2bf3ce6a58e1966884e8829a4dd0e0035d2c60d616b2b6913d9918

SHA512
b516f74154626cb17a6d0b0928734766ef7adde50cad546af9ab2a508e6d963857dacaf31c7b955dd60f2181902723525c48ae015b2b94b1aa494e48a850143d

Download Submit
C:\Windows\SysWOW64\svvosts.exe

Filesize
16KB

MD5
e89971762f36cfb9da627669851cdd61

SHA1
abdfc144853e17bcccd0e2605099f0ab31981270

SHA256
a174d6e9aea94b6a6887de6c043e350044385ecd10e24f7169dac8f342ac3a7d

SHA512
e2726130cf65562de43bbbe92e2615cfed1053518b66462109b54ddd53874f6decf9dcfcd92bb0d632579d92a63336c7b08b9a91a3b57ed8386cf81fd06058dd

Download Submit
memory/368-96-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/368-97-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/440-21-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/440-22-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/440-11-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/972-35-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1172-90-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/1172-74-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/1172-89-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1360-41-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1524-15-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/1524-27-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1632-63-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/1632-77-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/1632-79-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1864-92-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/2032-7-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/2032-17-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2044-60-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2280-76-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/2280-75-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2280-59-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/2464-51-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2464-40-0x00000000004B0000-0x00000000004BA000-memory.dmp

Filesize
40KB

Download
memory/2584-29-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2740-56-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2964-70-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/2964-86-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/2964-85-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3096-48-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3228-82-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/3228-66-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/3228-81-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3588-30-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3588-43-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3700-65-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/3700-61-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3700-50-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/4088-52-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/4088-67-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4088-69-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/4280-83-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/4388-57-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/4388-72-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/4388-71-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4504-54-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4632-37-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4632-25-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/4632-38-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/4664-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4664-19-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4764-99-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/4852-24-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4928-32-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4988-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4988-14-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/4988-13-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4988-1-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/5032-88-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/5048-33-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/5048-46-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/5048-45-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5084-93-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5084-94-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads