e63158231bd8190746255e9d42b3c9d0c9be52373ce4705cadc97f35aec6448c

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2819cbbf67c90445b1ac8555406c329e.exe
Size

679KB
MD5

2819cbbf67c90445b1ac8555406c329e
SHA1

d41913fd6946b8d9c3320c361b19f232fc6fa6a0
SHA256

e63158231bd8190746255e9d42b3c9d0c9be52373ce4705cadc97f35aec6448c
SHA512

3a5e7cbf1e329f9353be164f5ca530c169b76309041944a4ec2a8d1bd18d113e0bc0f1ca00212e270f1ab0664ecd1fca196d65d547ae6242a7ec082ee510eafb
SSDEEP

12288:ShSi53nC4lLMrL0Nh4eoj1mliehPWWkHvGdmpnOCRZDA95lv7Oc1AifYJF:ShSi5FBojshxe0Gtgag+F

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 14 IoCs

pid	Process
4328	svchost.exe
3312	svchost.exe
372	svchost.exe
3992	svchost.exe
3120	svchost.exe
4720	svchost.exe
1912	svchost.exe
4496	svchost.exe
4524	svchost.exe
3456	svchost.exe
2212	svchost.exe
1664	svchost.exe
392	svchost.exe
5004	WScript.exe

Loads dropped DLL 15 IoCs

pid	Process
4772	2819cbbf67c90445b1ac8555406c329e.exe
4328	svchost.exe
3312	svchost.exe
372	svchost.exe
3992	svchost.exe
3120	svchost.exe
4720	svchost.exe
1912	svchost.exe
4496	svchost.exe
4524	svchost.exe
3456	svchost.exe
2212	svchost.exe
1664	svchost.exe
392	svchost.exe
5004	WScript.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\25321\AntiOpenProcess.dll	svchost.exe
File created	C:\Windows\SysWOW64\25321\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321	svchost.exe
File created	C:\Windows\SysWOW64\25321\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321\AntiOpenProcess.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321\AntiOpenProcess.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321\AntiOpenProcess.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321\AntiOpenProcess.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321	svchost.exe
File created	C:\Windows\SysWOW64\25321\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\25321\svchost.exe	2819cbbf67c90445b1ac8555406c329e.exe
File created	C:\Windows\SysWOW64\25321\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321\AntiOpenProcess.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321\AntiOpenProcess.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321\AntiOpenProcess.dll	svchost.exe
File created	C:\Windows\SysWOW64\25321\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321\AntiOpenProcess.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321	svchost.exe
File created	C:\Windows\SysWOW64\25321\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321\AntiOpenProcess.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321\AntiOpenProcess.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321	svchost.exe
File created	C:\Windows\SysWOW64\25321\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321	2819cbbf67c90445b1ac8555406c329e.exe
File opened for modification	C:\Windows\SysWOW64\25321	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321\AntiOpenProcess.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321\AntiOpenProcess.dll	svchost.exe
File created	C:\Windows\SysWOW64\25321\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321	svchost.exe
File created	C:\Windows\SysWOW64\25321\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\25321\AntiOpenProcess.dll	2819cbbf67c90445b1ac8555406c329e.exe
File created	C:\Windows\SysWOW64\25321\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\25321\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\25321\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\25321\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321	svchost.exe
File opened for modification	C:\Windows\SysWOW64\25321\svchost.exe	2819cbbf67c90445b1ac8555406c329e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4772	2819cbbf67c90445b1ac8555406c329e.exe
4772	2819cbbf67c90445b1ac8555406c329e.exe
4772	2819cbbf67c90445b1ac8555406c329e.exe
4772	2819cbbf67c90445b1ac8555406c329e.exe
4772	2819cbbf67c90445b1ac8555406c329e.exe
4772	2819cbbf67c90445b1ac8555406c329e.exe
4772	2819cbbf67c90445b1ac8555406c329e.exe
4328	svchost.exe
4328	svchost.exe
4328	svchost.exe
4328	svchost.exe
4328	svchost.exe
4328	svchost.exe
4328	svchost.exe
3312	svchost.exe
3312	svchost.exe
3312	svchost.exe
3312	svchost.exe
3312	svchost.exe
3312	svchost.exe
3312	svchost.exe
372	svchost.exe
372	svchost.exe
372	svchost.exe
372	svchost.exe
372	svchost.exe
372	svchost.exe
372	svchost.exe
3992	svchost.exe
3992	svchost.exe
3992	svchost.exe
3992	svchost.exe
3992	svchost.exe
3992	svchost.exe
3992	svchost.exe
3120	svchost.exe
3120	svchost.exe
3120	svchost.exe
3120	svchost.exe
3120	svchost.exe
3120	svchost.exe
3120	svchost.exe
4720	svchost.exe
4720	svchost.exe
4720	svchost.exe
4720	svchost.exe
4720	svchost.exe
4720	svchost.exe
4720	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
4496	svchost.exe
4496	svchost.exe
4496	svchost.exe
4496	svchost.exe
4496	svchost.exe
4496	svchost.exe
4496	svchost.exe
4524	svchost.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 4328	4772	2819cbbf67c90445b1ac8555406c329e.exe	583
PID 4772 wrote to memory of 4328	4772	2819cbbf67c90445b1ac8555406c329e.exe	583
PID 4772 wrote to memory of 4328	4772	2819cbbf67c90445b1ac8555406c329e.exe	583
PID 4328 wrote to memory of 3312	4328	svchost.exe	582
PID 4328 wrote to memory of 3312	4328	svchost.exe	582
PID 4328 wrote to memory of 3312	4328	svchost.exe	582
PID 3312 wrote to memory of 372	3312	svchost.exe	581
PID 3312 wrote to memory of 372	3312	svchost.exe	581
PID 3312 wrote to memory of 372	3312	svchost.exe	581
PID 372 wrote to memory of 3992	372	svchost.exe	580
PID 372 wrote to memory of 3992	372	svchost.exe	580
PID 372 wrote to memory of 3992	372	svchost.exe	580
PID 3992 wrote to memory of 3120	3992	svchost.exe	579
PID 3992 wrote to memory of 3120	3992	svchost.exe	579
PID 3992 wrote to memory of 3120	3992	svchost.exe	579
PID 3120 wrote to memory of 4720	3120	svchost.exe	578
PID 3120 wrote to memory of 4720	3120	svchost.exe	578
PID 3120 wrote to memory of 4720	3120	svchost.exe	578
PID 4720 wrote to memory of 1912	4720	svchost.exe	576
PID 4720 wrote to memory of 1912	4720	svchost.exe	576
PID 4720 wrote to memory of 1912	4720	svchost.exe	576
PID 1912 wrote to memory of 4496	1912	svchost.exe	575
PID 1912 wrote to memory of 4496	1912	svchost.exe	575
PID 1912 wrote to memory of 4496	1912	svchost.exe	575
PID 4496 wrote to memory of 4524	4496	svchost.exe	574
PID 4496 wrote to memory of 4524	4496	svchost.exe	574
PID 4496 wrote to memory of 4524	4496	svchost.exe	574
PID 4524 wrote to memory of 3456	4524	svchost.exe	572
PID 4524 wrote to memory of 3456	4524	svchost.exe	572
PID 4524 wrote to memory of 3456	4524	svchost.exe	572
PID 3456 wrote to memory of 2212	3456	svchost.exe	1107
PID 3456 wrote to memory of 2212	3456	svchost.exe	1107
PID 3456 wrote to memory of 2212	3456	svchost.exe	1107
PID 2212 wrote to memory of 1664	2212	svchost.exe	570
PID 2212 wrote to memory of 1664	2212	svchost.exe	570
PID 2212 wrote to memory of 1664	2212	svchost.exe	570
PID 1664 wrote to memory of 392	1664	svchost.exe	569
PID 1664 wrote to memory of 392	1664	svchost.exe	569
PID 1664 wrote to memory of 392	1664	svchost.exe	569
PID 392 wrote to memory of 5004	392	svchost.exe	987
PID 392 wrote to memory of 5004	392	svchost.exe	987
PID 392 wrote to memory of 5004	392	svchost.exe	987

C:\Users\Admin\AppData\Local\Temp\2819cbbf67c90445b1ac8555406c329e.exe
"C:\Users\Admin\AppData\Local\Temp\2819cbbf67c90445b1ac8555406c329e.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
  2⤵
  PID:5640
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4328

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:1172
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:2340
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:6240
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:4992
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:6324

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:5000
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:4028
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:6896
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:4472
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:6636

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:2704
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:2620
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:6888
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:4812
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:6668

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:4316
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:212
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:7020

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:4852
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:2636
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:1220
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:1484
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:6332
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:6572
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:1324
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:6828

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:2072
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:3220
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:4548
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:1688
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:3276
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:864
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:3688

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:4376
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:1568
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:6972
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:5144
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:5700

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:5184
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:4180
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:5224

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:5292
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:5340
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:5384
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:2364
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:5468
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:3220
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:7092
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:3436

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:5516
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:5584
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:4444

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:5664

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:5688

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:5804
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:5860
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:6024
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:4908
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:4472

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:5220
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:6736

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:6084
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:6304

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:5980

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:5940

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:5828

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:5548

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:3992
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:6916
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:376
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3120

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:3168

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:232
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:5812
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:6216

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:6036
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:5472

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:6224

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:6272
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:6268
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:6368

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:6588
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:6660
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:5988
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:6816
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:6288

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:7076

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:7132

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:6452
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:6092
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:4784

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:5728

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:212
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:5328
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:6048
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:6732
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:6596
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:5900
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:5060

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:5576

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:5584
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:6176
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:5356
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:964
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:5680

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:5348

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:6012
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:7412
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:1320

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:6864

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:6420

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:6472
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:6712
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:7692
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:5732
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:7628

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:6416

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:5540
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:7740
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:7140

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:5392

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:4840

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:5192
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:2704
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:5644
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:6784
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:7768
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:8844
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:5144
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:2136
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:6816
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:5220
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:5424
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:6880

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:7260
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:7348
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:7404
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:7476
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:7576
      - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        6⤵
        
        PID:7664
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:7180
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:7228
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:4548
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:5880
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:7956
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:7564

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:7180
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:7428

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:7884
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:7932
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:8404
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:7972
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:8288

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:7792
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:7396

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:8064
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:8144
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:8180
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:1516
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:8820
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:8676
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:8728

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:7284

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:7304
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:7720
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:7460

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:6992
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:7808
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:8060
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:2260
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:7996
      - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        6⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        7⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        8⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        8⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        9⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        9⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        8⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        8⤵
        
        PID:4792
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:3344
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:8012
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:8360
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:5456

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:6380
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:2344
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:7056
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:6996
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:5420

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:7352
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:5728
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:7940
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:7192
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:5976
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:7056

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:7728
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:7784
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:5196

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:8456
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:7352
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:7788
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:8536

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:8612
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:8708
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:8772
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:1792
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:8884
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:8448

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:9052
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:9140
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:9060
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:7688
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:9352

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:8272

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:8164
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:8344
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:7532
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:9812
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:9360
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:10148
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:9088
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:9572
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:9292

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:2032
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:8688
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:9076
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:9904
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:7264
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:9772
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:9884

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:7944

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:7656
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:10140
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:8316

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:8624

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:3468

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:8224
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:8472
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:8392
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:10224
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:10216

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:9176

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:6592
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:8752
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:6992
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:8552
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:9240
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:7388

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:9308
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:9448
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:9524
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:7996
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:7344
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:9004
      - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        6⤵
        
        PID:5188
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:9656
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:7268
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:8892

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:9700

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:9804
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:10024
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:9876
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:10100
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:9664

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:9984

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:9280
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:7916
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:9180
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:6472
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:9720
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:3156
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:3968
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:7904
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:9504

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:8028
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:8040
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:7532
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:7388

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:6744

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:9764
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:10484
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:9304
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:10676

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:6648
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:9252
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:8972
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:10664
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:8572

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:9648
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:7896
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:12212
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:11240
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:12124

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:9056

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:9808
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:11064
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:10124

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:10008
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:10184
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:5372
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:8392
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:9980
      - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        6⤵
        
        PID:10112
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        7⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        8⤵
        
        PID:10656
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        8⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        8⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        8⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        9⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        9⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        7⤵
        
        PID:10412
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:10268
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:10828
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:2336
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:7620
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:2060

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:1492
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:9252
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:10756
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:7688
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:9220
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:8380

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:5360
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:10312
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:11120
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:10372
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:8264

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:10404

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:10516
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:10952
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:10592

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:10704
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:10832
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:10912
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:10984
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:10720
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:11100
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:9028
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:13136
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:11040
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:10376

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:11020

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:11180
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:10852
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:11244

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:9820
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:11324
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:9144

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:9460
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:11708
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:2140

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:10352
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:11840
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:9648
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:10888
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:9544

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:7304
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:9420
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:11032
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:11460
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:11372
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:1212
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:7660

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:8392
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:2508
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:8604

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:10876
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:9992
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:3076
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:14624
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:14964

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:9536
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:11924
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:7516

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:10440

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:4812
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:10864
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:9452
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:11316
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:12000
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:6436
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:11140
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:11904
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:3308

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:7644

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:11492
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:11540
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:11660
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:11572
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:8028
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:10444

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:11588

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:11616

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:11684

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:11776
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:11876
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:11936
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:12012
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:12696
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:12860
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:12688
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:12788

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:12172
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:12236
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:11224
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:10912
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:8972
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:10896
      - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        6⤵
        
        PID:9344
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:13232
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:13088
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:12984
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:13096

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:12244

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:10476
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:10940
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:12280
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:11824

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:7664
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:4268
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:7720

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:10976
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:10552
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:7872
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:10944
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:12036
      - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        6⤵
        
        PID:12048
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        7⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        8⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        7⤵
        
        PID:11700
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:7104
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:11520
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:11576
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:11440
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:12200

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:9668

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:10384
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:12920

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:9304
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:10748
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:5744

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:10688

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:10448

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:11528
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:6656

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:12104
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:12976

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:11716

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:11444
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:10844

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:11384
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:11900

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:7532
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:244

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:10244

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:9088
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:4156
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:9484

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:10020

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:7264
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:9868
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:8052

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:4856

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:10456

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:11108

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:11072

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:10648

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:10444

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:10336

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:10272

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:9464

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:5460

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:9388

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:8708
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:7784
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:7796
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:8276

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:5852

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:7880

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:6372

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:8712

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:8312

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:8172

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:8988

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:10064

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:9996

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:8916

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:7316

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:9104

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:10332
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:7112
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:11544
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:12332
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:12528
      - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        6⤵
        
        PID:12628
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        7⤵
        
        PID:12780
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        8⤵
        
        PID:12908
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        9⤵
        
        PID:13024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        10⤵
        
        PID:14084
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        9⤵
        
        PID:13472
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        8⤵
        
        PID:13464
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        7⤵
        
        PID:12940
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:13420
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:11104
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:7200
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:8180
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:12824

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:8920
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:11232

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:8208

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:8640

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:8796

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:4644

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:8368

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:8484

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:7876

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:7908

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:8944

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:8828

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:8412

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:8384

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:3152

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:3156

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:7344

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:7980

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:7680

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:7448

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:6200

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:6964

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:1700

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:2260

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:6488

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:5508

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:6820

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:5860
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:392
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:5004

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:7008

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:5672

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:2212
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:6104
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1664

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:4264

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:3264

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:1224

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:4788

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:5840

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:3120
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4720

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:4328
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3312

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:4452

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:4040

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:7032

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:6992

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:6504

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:13212
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:7992
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:4352
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:12348
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:11948
      - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        6⤵
        
        PID:13012
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        7⤵
        
        PID:10708
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        8⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        9⤵
        
        PID:10880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        10⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        9⤵
        
        PID:11804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        8⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        7⤵
        
        PID:14240
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:14256
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:14016
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:14032
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:14072
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:14092

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:6344

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:6336

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:5416

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:5432

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:5908

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:5640

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
1⤵
PID:5656

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:2428

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:3144

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:3404

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:2212

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:5776
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:11864
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:13892
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:13404
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:12628

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:11764
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:3524
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:11456
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:6604
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:12936
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:13700
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:13924
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:12600
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:12176
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:13716

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:12992
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:12236

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:11916
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:2408
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:13444
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:13540
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:13624
      - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        6⤵
        
        PID:13756
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        7⤵
        
        PID:13876
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        8⤵
        
        PID:13948
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        9⤵
        
        PID:14060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        10⤵
        
        PID:14836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        9⤵
        
        PID:14468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        8⤵
        
        PID:14576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        7⤵
        
        PID:14748
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:14476
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:14608
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:13916
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:13996
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:8876

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:14160
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:14220
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:14296
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:12336
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:12884
      - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        6⤵
        
        PID:12616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        7⤵
        
        PID:15156
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:15064
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:15124
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:15164
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:14956
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:14848

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:13536
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:10280
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:4476
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:13992
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:7208
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:5916
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:2408
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:15344
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:5280

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:13364
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:11636
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:12044
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:13184
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:13756
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:14164
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:13544
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:7992

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:8636
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:13744
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:13480
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:13340
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:12992
      - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        6⤵
        
        PID:11456
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        7⤵
        
        PID:13324
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        8⤵
        
        PID:13788
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        9⤵
        
        PID:14440
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        10⤵
        
        PID:14536
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        11⤵
        
        PID:14688
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        12⤵
        
        PID:14812
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        13⤵
        
        PID:14932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        14⤵
        
        PID:13908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        13⤵
        
        PID:14976
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        12⤵
        
        PID:14868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        11⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        10⤵
        
        PID:14652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        9⤵
        
        PID:12968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        8⤵
        
        PID:14208
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        7⤵
        
        PID:15072
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:13992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        7⤵
        
        PID:9256
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:10392
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:13736
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:9168
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:12604

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:14996
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:15056
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:15208
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:13340

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:15224
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:15308
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:10636
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:13188

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:14288
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:8980
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:13872
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:5504
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:14912
      - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        6⤵
        
        PID:15028
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        7⤵
        
        PID:11368
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        8⤵
        
        PID:13864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        9⤵
        
        PID:16292
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        8⤵
        
        PID:16360
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        7⤵
        
        PID:16300
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:15932
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:15884
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:15456
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:16568
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:16644
      - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        6⤵
        
        PID:16780
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        7⤵
        
        PID:16964
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        8⤵
        
        PID:17056
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        9⤵
        
        PID:17136
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        10⤵
        
        PID:10916
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        9⤵
        
        PID:11736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        8⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        7⤵
        
        PID:5736
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:17296
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:16764
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:15804
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:15380

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:14148
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:5532

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:14788
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:15040
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:16624
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:17800

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:14584
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:10500

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:3076
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:13108

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:14356
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:5540
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:5552
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:14344
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:13608
      - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        6⤵
        
        PID:13668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        7⤵
        
        PID:14692
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:16100
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:13648
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:16352
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:16308
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:16076

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:13932
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:14948
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:13952
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:9044
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:13624
      - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        6⤵
        
        PID:14276
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        7⤵
        
        PID:15412
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        8⤵
        
        PID:15500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        9⤵
        
        PID:13952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        8⤵
        
        PID:9828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        7⤵
        
        PID:16408
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:16388
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:16512
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:14916
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:14596
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:15744

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:15560
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:15648
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:15728
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:15796
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:16696
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:16680
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:16824
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:16552

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:15864
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:15924
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:16992
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:16904

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:16000
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:16048
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:16832
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:17000

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:16148
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:16196
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:12040
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:17120
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:17188
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:17180

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:12884
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:14288
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:11856
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:13492
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:15676
      - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        6⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        7⤵
        
        PID:15028
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        8⤵
        
        PID:15548
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        9⤵
        
        PID:15336
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        10⤵
        
        PID:15952
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        11⤵
        
        PID:13608
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        12⤵
        
        PID:15892
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        13⤵
        
        PID:16020
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        14⤵
        
        PID:13872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        15⤵
        
        PID:12896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        14⤵
        
        PID:14436
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        13⤵
        
        PID:16976
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        12⤵
        
        PID:16052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        11⤵
        
        PID:15572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        10⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        9⤵
        
        PID:15968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        8⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        7⤵
        
        PID:15648
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:16952
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:5452
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:9860
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:15396
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:17164

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:17224
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:17328
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:17404
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:15376
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:8060
      - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        6⤵
        
        PID:15640
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        7⤵
        
        PID:15560
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        8⤵
        
        PID:15800
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        9⤵
        
        PID:15740
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        10⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        11⤵
        
        PID:17208
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        10⤵
        
        PID:16252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        9⤵
        
        PID:12952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        8⤵
        
        PID:16956
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        8⤵
        
        PID:17832
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        9⤵
        
        PID:13636
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        10⤵
        
        PID:18344
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        11⤵
        
        PID:18276
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        12⤵
        
        PID:12764
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        13⤵
        
        PID:11856
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        14⤵
        
        PID:18500
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        15⤵
        
        PID:18624
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        16⤵
        
        PID:18728
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        17⤵
        
        PID:18832
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        18⤵
        
        PID:18900
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        19⤵
        
        PID:18956
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        20⤵
        
        PID:19040
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        21⤵
        
        PID:19112
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        22⤵
        
        PID:19308
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        23⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        24⤵
        
        PID:18288
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        25⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        26⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        27⤵
        
        PID:17140
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        28⤵
        
        PID:12028
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        29⤵
        
        PID:12144
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        30⤵
        
        PID:9628
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        31⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        32⤵
        
        PID:18152
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        33⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        34⤵
        
        PID:15032
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        35⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        36⤵
        
        PID:19216
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        37⤵
        
        PID:19240
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        38⤵
        
        PID:13204
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        39⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        40⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        41⤵
        
        PID:19328
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        42⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        43⤵
        
        PID:19000
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        44⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        35⤵
        
        PID:19600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        34⤵
        
        PID:19484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        33⤵
        
        PID:16164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        32⤵
        
        PID:17908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        31⤵
        
        PID:18212
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        30⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        29⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        28⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        27⤵
        
        PID:18940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        26⤵
        
        PID:12972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        25⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        24⤵
        
        PID:14844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        23⤵
        
        PID:19272
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        22⤵
        
        PID:11428
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        21⤵
        
        PID:19064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        20⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        19⤵
        
        PID:18312
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        18⤵
        
        PID:15560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        17⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        16⤵
        
        PID:14108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        15⤵
        
        PID:18064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        14⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        13⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        12⤵
        
        PID:19016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        11⤵
        
        PID:17536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        10⤵
        
        PID:13496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        9⤵
        
        PID:13500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        7⤵
        
        PID:13768
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:14368
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:5724
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:12136
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:16488
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:9140

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:14080
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:16472
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:17324
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:10452
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:16672
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:15400
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:10316
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:16568
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:17476
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:15560
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:7224
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:18016
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:16896
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:2420

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:4084
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:13864
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:11752
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:4008
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:17588
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:17564
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:17640
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:17416

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:15832
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:17228
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:8812
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:16132
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:12148
      - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        6⤵
        
        PID:15956
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        7⤵
        
        PID:10156
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        8⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5004
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:5760
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:3772
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:17796
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:5288
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:18224

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:11036
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:6948
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:18264
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:18204

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:8808
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:18000

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:14788
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:17840

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:9744
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:17772

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:15880
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:17580

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:16912
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:5248
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:16452
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:14952
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:17472
      - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        6⤵
        
        PID:17544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        7⤵
        
        PID:1340
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:17104
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:17376
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:11752
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:16468
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:18092

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:17620
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:17712
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:17832
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:17916
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:18036
      - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        6⤵
        
        PID:18144
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        7⤵
        
        PID:18208
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        8⤵
        
        PID:18276
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        9⤵
        
        PID:18372
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        10⤵
        
        PID:15516
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        11⤵
        
        PID:16744
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        12⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        13⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        14⤵
        
        PID:376
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        15⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        16⤵
        
        PID:18636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        15⤵
        
        PID:18544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        14⤵
        
        PID:18476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        13⤵
        
        PID:18644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        12⤵
        
        PID:18468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        11⤵
        
        PID:18116
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        10⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        9⤵
        
        PID:17620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        8⤵
        
        PID:14952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        7⤵
        
        PID:17052
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:6100
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:18292
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:18096
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:7652
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:16104

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:16648
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:740
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:18368
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:4308
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:18736
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:18980
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:18652
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:18988

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:16040
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:10788
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:15376
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:18312
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:6644
      - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        6⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        7⤵
        
        PID:18400
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        8⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        9⤵
        
        PID:17324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        10⤵
        
        PID:19204
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        9⤵
        
        PID:19344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        8⤵
        
        PID:19136
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        7⤵
        
        PID:19176
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        6⤵
        
        PID:19144
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
        5⤵
        
        PID:19152
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
      4⤵
      PID:19076
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
    3⤵
    PID:19232
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\25321\tem.vbs"
  2⤵
  PID:19128

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
PID:4292
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:9024
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:3964
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:7548

C:\Windows\SysWOW64\25321\svchost.exe
C:\Windows\System32\25321\svchost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\25321\svchost.exe
  C:\Windows\System32\25321\svchost.exe
  2⤵
  PID:15816
- - C:\Windows\SysWOW64\25321\svchost.exe
    C:\Windows\System32\25321\svchost.exe
    3⤵
    PID:9384
  - - C:\Windows\SysWOW64\25321\svchost.exe
      C:\Windows\System32\25321\svchost.exe
      4⤵
      PID:12308
    - - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        5⤵
        
        PID:540
      - C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        6⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        7⤵
        
        PID:19460
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        8⤵
        
        PID:19540
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        9⤵
        
        PID:19616
        
        C:\Windows\SysWOW64\25321\svchost.exe
        
        C:\Windows\System32\25321\svchost.exe
        10⤵
        
        PID:19720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
6d4b2e73f6f8ecff02f19f7e8ef9a8c7

SHA1
09c32ca167136a17fd69df8c525ea5ffeca6c534

SHA256
fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040

SHA512
2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
3fe72f93ab5f24a0ea2d753013a41c4b

SHA1
9206cd206c0b2782a2b1ad1d19ace97bae6e491e

SHA256
db32e8ea1d91009ca25b79d7e863a08be56632641a7a145326fbfbf0931b6c79

SHA512
24ce75304e6b5508d9bbf425a68b1907bc51f30c168dd3b800f34e1f7fc1aee044818848d1fde40e7556af5f16f94ea02d19344bd9ffda1a6d011a624d6f46e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
93KB

MD5
35a530ac2e4c2e1be0842e4527a3ed38

SHA1
e062d0e5b997a066b374ff5477d4611759bc1be3

SHA256
e80fd553b13a2514e024280719a3a0d0ff8828364f5f5e3f3d6cbbbaa68f43ba

SHA512
adda86f287434cfb398b6980f7b9b436df419c860d671bead702c9b0f0858663c0b2292f7a3a795655030529339e3561993b9d82f360330c758d8c23b7f21308

Download Submit
C:\Windows\SysWOW64\25321\AntiOpenProcess.dll

Filesize
4KB

MD5
ddf1a3e3e5dd64566de818a748b59bc2

SHA1
3a6fc4766630e8e1eea5e7e1741c4b517c7f8dbc

SHA256
9bd39c9cde614ff1264bcee351a465fc9f6f712ead802234256316f3841190fa

SHA512
06cf5fdb7b9e59236eb5a1bdf7025d07ccfe0463f17cefd5470051b1f228e14a374ebb01a6d0b572a5ddb259a2b0d7cfe42eb429c6828ab76b17d5a613b62cd7

Download Submit
C:\Windows\SysWOW64\25321\svchost.exe

Filesize
679KB

MD5
2819cbbf67c90445b1ac8555406c329e

SHA1
d41913fd6946b8d9c3320c361b19f232fc6fa6a0

SHA256
e63158231bd8190746255e9d42b3c9d0c9be52373ce4705cadc97f35aec6448c

SHA512
3a5e7cbf1e329f9353be164f5ca530c169b76309041944a4ec2a8d1bd18d113e0bc0f1ca00212e270f1ab0664ecd1fca196d65d547ae6242a7ec082ee510eafb

Download Submit
C:\Windows\SysWOW64\25321\tem.vbs

Filesize
179B

MD5
b21423259ea966661f1189891693795a

SHA1
9e8463c7962a3e154a45a709b962d5e9f5c4383b

SHA256
e8e60e2e73ebfa1b1c2b3dcef892df70b34eb39d61c0c90feccaddfd3eea5910

SHA512
19d899d38788d15eb6af66916cd13bfd79fa197b831d4e58e1cba41d6e394b5dac9a8b9fc4825ede4e8c2ebf8a0b4a3f37cf46a4526f6d06a1d5d6e2fe549ae9

Download Submit
memory/1688-177-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3312-18-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4328-75-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4524-113-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4524-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4548-172-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4772-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4772-68-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5004-94-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5384-175-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/6024-201-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/7784-464-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/19832-1632-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download