48f474b60b126daca92a3a90af6209d84233f716aaf7d794f33051a9611f48c4

Analysis

max time kernel
88s
max time network
92s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
30-04-2024 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Seven.exe
Size

139KB
MD5

350273e0d2e8a9ba5e37b791016112a0
SHA1

5bfb616dd46f67d1dcbbff55ca5917ffc1ec8b71
SHA256

27297bf8139bea755e9297e7e1489d827d1ee09a8e1d94a3ef96a2edb2de61ba
SHA512

b1e768524b4e840bd5f4163205122dd1725583245d8bfd5cbd89eb21a5fb9d33aff1b7b0ca42132b7dae469e025068ae663b3b02ad59927a558dc340141ec91b
SSDEEP

3072:miS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJd8ltw:miS4ompB9S3BZi0a1G78IVhcTct

Score

10^/10

evasion ransomware spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Seven.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe

Renames multiple (237) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocks application from running via registry modification 1 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Seven.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Seven.exe

Deletes itself 1 IoCs

pid	Process
4632	Winhost.exe

Executes dropped EXE 64 IoCs

pid	Process
4632	Winhost.exe
3932	Winhost.exe
3144	Winhost.exe
3536	Winhost.exe
4976	Winhost.exe
3640	Winhost.exe
2956	Winhost.exe
128	Winhost.exe
4568	Winhost.exe
1936	Winhost.exe
3672	Winhost.exe
4400	Winhost.exe
2292	Winhost.exe
4744	Winhost.exe
4576	Winhost.exe
1656	Winhost.exe
4192	Winhost.exe
1636	Winhost.exe
1792	Winhost.exe
4116	Winhost.exe
4724	Winhost.exe
2460	Winhost.exe
4736	Winhost.exe
1028	Winhost.exe
1760	Winhost.exe
1860	Winhost.exe
3392	Winhost.exe
4108	Winhost.exe
1400	Winhost.exe
1080	Winhost.exe
3704	Winhost.exe
3928	Winhost.exe
3304	Winhost.exe
2880	Winhost.exe
952	Winhost.exe
4728	Winhost.exe
4236	Winhost.exe
248	Winhost.exe
2352	Winhost.exe
4268	Winhost.exe
1476	Winhost.exe
1364	Winhost.exe
5056	Winhost.exe
2292	Winhost.exe
4196	Winhost.exe
5072	Winhost.exe
1756	Winhost.exe
1916	Winhost.exe
3692	Winhost.exe
4960	Winhost.exe
1840	Winhost.exe
3236	Winhost.exe
4740	Winhost.exe
4904	Winhost.exe
240	Winhost.exe
832	Winhost.exe
5072	Winhost.exe
3576	Winhost.exe
1916	Winhost.exe
3692	Winhost.exe
1988	Winhost.exe
1080	Winhost.exe
3912	Winhost.exe
2728	Winhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Seven.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Winhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
1	raw.githubusercontent.com
3	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in System32 directory 43 IoCs

description	ioc	Process
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\System32\Seven.runtimeconfig.json	cmd.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\System32\Seven.dll	cmd.exe
File opened for modification	C:\Windows\System32\Seven.dll	cmd.exe
File opened for modification	C:\Windows\System32\Seven.runtimeconfig.json	attrib.exe
File opened for modification	C:\Windows\System32\Winhost.exe	attrib.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\System32\Winhost.exe	cmd.exe
File opened for modification	C:\Windows\System32\Winhost.exe	cmd.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Seven.dll	attrib.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Seven.runtimeconfig.json	cmd.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpplf4q5.tmp"	Seven.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpq5idmj.tmp"	Winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmppclehs.tmp"	Winhost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3104	powershell.exe
3104	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3104	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 3104	3932	Seven.exe	82
PID 3932 wrote to memory of 3104	3932	Seven.exe	82
PID 3932 wrote to memory of 3280	3932	Seven.exe	85
PID 3932 wrote to memory of 3280	3932	Seven.exe	85
PID 3932 wrote to memory of 4536	3932	Seven.exe	86
PID 3932 wrote to memory of 4536	3932	Seven.exe	86
PID 3932 wrote to memory of 2440	3932	Seven.exe	87
PID 3932 wrote to memory of 2440	3932	Seven.exe	87
PID 3932 wrote to memory of 4672	3932	Seven.exe	88
PID 3932 wrote to memory of 4672	3932	Seven.exe	88
PID 3932 wrote to memory of 3444	3932	Seven.exe	89
PID 3932 wrote to memory of 3444	3932	Seven.exe	89
PID 3932 wrote to memory of 2352	3932	Seven.exe	90
PID 3932 wrote to memory of 2352	3932	Seven.exe	90
PID 3932 wrote to memory of 2248	3932	Seven.exe	91
PID 3932 wrote to memory of 2248	3932	Seven.exe	91
PID 3932 wrote to memory of 3392	3932	Seven.exe	92
PID 3932 wrote to memory of 3392	3932	Seven.exe	92
PID 3932 wrote to memory of 1424	3932	Seven.exe	93
PID 3932 wrote to memory of 1424	3932	Seven.exe	93
PID 3932 wrote to memory of 804	3932	Seven.exe	94
PID 3932 wrote to memory of 804	3932	Seven.exe	94
PID 3932 wrote to memory of 3428	3932	Seven.exe	95
PID 3932 wrote to memory of 3428	3932	Seven.exe	95
PID 3932 wrote to memory of 3476	3932	Seven.exe	96
PID 3932 wrote to memory of 3476	3932	Seven.exe	96
PID 3932 wrote to memory of 2276	3932	Seven.exe	97
PID 3932 wrote to memory of 2276	3932	Seven.exe	97
PID 3932 wrote to memory of 1756	3932	Seven.exe	98
PID 3932 wrote to memory of 1756	3932	Seven.exe	98
PID 3428 wrote to memory of 4132	3428	cmd.exe	100
PID 3428 wrote to memory of 4132	3428	cmd.exe	100
PID 2276 wrote to memory of 4108	2276	cmd.exe	99
PID 2276 wrote to memory of 4108	2276	cmd.exe	99
PID 4672 wrote to memory of 1924	4672	cmd.exe	101
PID 4672 wrote to memory of 1924	4672	cmd.exe	101
PID 1756 wrote to memory of 4632	1756	cmd.exe	102
PID 1756 wrote to memory of 4632	1756	cmd.exe	102
PID 3444 wrote to memory of 3944	3444	cmd.exe	103
PID 3444 wrote to memory of 3944	3444	cmd.exe	103
PID 804 wrote to memory of 1636	804	cmd.exe	105
PID 804 wrote to memory of 1636	804	cmd.exe	105
PID 3476 wrote to memory of 236	3476	cmd.exe	106
PID 3476 wrote to memory of 236	3476	cmd.exe	106
PID 4632 wrote to memory of 3932	4632	Winhost.exe	107
PID 4632 wrote to memory of 3932	4632	Winhost.exe	107
PID 3932 wrote to memory of 3144	3932	Winhost.exe	109
PID 3932 wrote to memory of 3144	3932	Winhost.exe	109
PID 3144 wrote to memory of 3536	3144	Winhost.exe	111
PID 3144 wrote to memory of 3536	3144	Winhost.exe	111
PID 3536 wrote to memory of 4976	3536	Winhost.exe	113
PID 3536 wrote to memory of 4976	3536	Winhost.exe	113
PID 4976 wrote to memory of 3640	4976	Winhost.exe	115
PID 4976 wrote to memory of 3640	4976	Winhost.exe	115
PID 3640 wrote to memory of 2956	3640	Winhost.exe	117
PID 3640 wrote to memory of 2956	3640	Winhost.exe	117
PID 2956 wrote to memory of 128	2956	Winhost.exe	119
PID 2956 wrote to memory of 128	2956	Winhost.exe	119
PID 128 wrote to memory of 4568	128	Winhost.exe	121
PID 128 wrote to memory of 4568	128	Winhost.exe	121
PID 4568 wrote to memory of 1936	4568	Winhost.exe	123
PID 4568 wrote to memory of 1936	4568	Winhost.exe	123
PID 1936 wrote to memory of 3672	1936	Winhost.exe	125
PID 1936 wrote to memory of 3672	1936	Winhost.exe	125

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4108	attrib.exe
236	attrib.exe
1924	attrib.exe
4132	attrib.exe
1636	attrib.exe
3944	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Seven.exe
"C:\Users\Admin\AppData\Local\Temp\Seven.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3104
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Admin\AppData\Local\Temp\Winhost.exe
  2⤵
  PID:3280
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Windows\System32\Winhost.exe
  2⤵
  - Drops file in System32 directory
  PID:4536
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Public\Documents\Winhost.exe
  2⤵
  PID:2440
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Winhost.exe
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1924
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Winhost.exe
    3⤵
    - Views/modifies file attributes
    PID:3944
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Windows\System32\Seven.dll
  2⤵
  - Drops file in System32 directory
  PID:2352
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Users\Public\Documents\Seven.dll
  2⤵
  PID:2248
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Windows\System32\Seven.runtimeconfig.json
  2⤵
  - Drops file in System32 directory
  PID:3392
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Users\Public\Documents\Seven.runtimeconfig.json
  2⤵
  PID:1424
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Seven.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Seven.dll
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1636
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Seven.runtimeconfig.json
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Seven.runtimeconfig.json
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:4132
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Seven.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Seven.dll
    3⤵
    - Views/modifies file attributes
    PID:236
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Seven.runtimeconfig.json
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Seven.runtimeconfig.json
    3⤵
    - Views/modifies file attributes
    PID:4108
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C start C:\Users\Admin\AppData\Local\Temp\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
    C:\Users\Admin\AppData\Local\Temp\Winhost.exe
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Sets desktop wallpaper using registry
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
      "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
      4⤵
      Executes dropped EXE
      Sets desktop wallpaper using registry
      Suspicious use of WriteProcessMemory
      PID:3932
    - - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3144
      - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:128
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        13⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        14⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        15⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        16⤵
        Executes dropped EXE
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        17⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        18⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        19⤵
        Executes dropped EXE
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        20⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        21⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        22⤵
        Executes dropped EXE
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        23⤵
        Executes dropped EXE
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        24⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        25⤵
        Executes dropped EXE
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        26⤵
        Executes dropped EXE
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        27⤵
        Executes dropped EXE
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        28⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        29⤵
        Executes dropped EXE
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        30⤵
        Executes dropped EXE
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        31⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        32⤵
        Executes dropped EXE
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        33⤵
        Executes dropped EXE
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        34⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        35⤵
        Executes dropped EXE
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        36⤵
        Executes dropped EXE
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        37⤵
        Executes dropped EXE
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        38⤵
        Executes dropped EXE
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        39⤵
        Executes dropped EXE
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        40⤵
        Executes dropped EXE
        
        PID:248
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        41⤵
        Executes dropped EXE
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        42⤵
        Executes dropped EXE
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        43⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        44⤵
        Executes dropped EXE
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        45⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        46⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        47⤵
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        48⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        49⤵
        Executes dropped EXE
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        50⤵
        Executes dropped EXE
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        51⤵
        Executes dropped EXE
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        52⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        53⤵
        Executes dropped EXE
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        54⤵
        Executes dropped EXE
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        55⤵
        Executes dropped EXE
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        56⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        57⤵
        Executes dropped EXE
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        58⤵
        Executes dropped EXE
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        59⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        60⤵
        Executes dropped EXE
        
        PID:3576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        61⤵
        Executes dropped EXE
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        62⤵
        Executes dropped EXE
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        63⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        64⤵
        Executes dropped EXE
        
        PID:1080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        65⤵
        Executes dropped EXE
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        66⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        67⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        68⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        69⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        70⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        71⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        72⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        73⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        74⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        75⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        76⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        77⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        78⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        79⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        80⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        81⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        82⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        83⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        84⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        85⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        86⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        87⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        88⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        89⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        90⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        91⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        92⤵
        
        PID:3392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        93⤵
        
        PID:1464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        94⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        94⤵
        
        PID:1216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        95⤵
        
        PID:2332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        96⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        96⤵
        
        PID:3232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        97⤵
        
        PID:5036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        98⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        98⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        99⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        100⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        101⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        102⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        103⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        104⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        105⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        106⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        107⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        108⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        109⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        110⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        111⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        112⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        113⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        114⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        115⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        116⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        117⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        118⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        119⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        120⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        121⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        122⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        123⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        124⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        125⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        126⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        127⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        128⤵
        
        PID:488
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        129⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        130⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        131⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        132⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        133⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        134⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        135⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        136⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        137⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        138⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        139⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        140⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        141⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        142⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        143⤵
        
        PID:3576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        144⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        144⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        145⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        146⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        147⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        148⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        149⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        150⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        151⤵
        
        PID:4540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        152⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        152⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        153⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        154⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        155⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        156⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        157⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        158⤵
        
        PID:4464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        159⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        160⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        161⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        162⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        163⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        164⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        165⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        166⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        167⤵
        
        PID:4664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        168⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        168⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        169⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        170⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        171⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        172⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        173⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        174⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        175⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        176⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        177⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        178⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        179⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        180⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        181⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        182⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        183⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        184⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        185⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        186⤵
        
        PID:1760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        187⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        187⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        188⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        189⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        190⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        191⤵
        
        PID:4432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        192⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        192⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        193⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        194⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        195⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        196⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        197⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        198⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        199⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        200⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        201⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        202⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        203⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        204⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        205⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        206⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        207⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        208⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        209⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        210⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        211⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        212⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        213⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        214⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        215⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        216⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        217⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        218⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        219⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        220⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        221⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        222⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        223⤵
        
        PID:456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        224⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        224⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        225⤵
        
        PID:128
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        226⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        227⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        228⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        229⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        230⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        231⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        232⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        233⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        234⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        235⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        236⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        237⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        238⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        239⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        240⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        241⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        242⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        243⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        244⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        245⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        246⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        247⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        248⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        249⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        250⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        251⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        252⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        253⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        254⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        255⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        256⤵
        
        PID:2724

C:\Windows\System32\Winhost.exe
C:\Windows\System32\Winhost.exe
1⤵
- Drops file in System32 directory
PID:3300
- C:\Windows\System32\Winhost.exe
  "C:\Windows\System32\Winhost.exe"
  2⤵
  - Drops file in System32 directory
  PID:4988
- - C:\Windows\System32\Winhost.exe
    "C:\Windows\System32\Winhost.exe"
    3⤵
    - Drops file in System32 directory
    PID:456
  - - C:\Windows\System32\Winhost.exe
      "C:\Windows\System32\Winhost.exe"
      4⤵
      Drops file in System32 directory
      PID:4984
    - - C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        5⤵
        Drops file in System32 directory
        
        PID:3616
      - C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        6⤵
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        7⤵
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        8⤵
        Drops file in System32 directory
        
        PID:1316
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        9⤵
        Drops file in System32 directory
        
        PID:716
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        10⤵
        Drops file in System32 directory
        
        PID:3224
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        11⤵
        Drops file in System32 directory
        
        PID:4532
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        12⤵
        Drops file in System32 directory
        
        PID:4844
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        13⤵
        Drops file in System32 directory
        
        PID:2876
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        14⤵
        Drops file in System32 directory
        
        PID:1212
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        15⤵
        Drops file in System32 directory
        
        PID:2140
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        16⤵
        Drops file in System32 directory
        
        PID:2824
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        17⤵
        Drops file in System32 directory
        
        PID:1124
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        18⤵
        
        PID:4752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:4840
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        19⤵
        
        PID:4456
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        20⤵
        
        PID:5052
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        21⤵
        
        PID:716
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        22⤵
        
        PID:1808
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        23⤵
        
        PID:3068
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        24⤵
        
        PID:3384
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        25⤵
        
        PID:5092
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        26⤵
        
        PID:4636
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        27⤵
        
        PID:4776
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        28⤵
        
        PID:2776
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        29⤵
        
        PID:2804
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        30⤵
        
        PID:2464
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        31⤵
        
        PID:1956
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        32⤵
        
        PID:4224
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        33⤵
        
        PID:1108
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        34⤵
        
        PID:4080
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        35⤵
        
        PID:3252
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        36⤵
        
        PID:4756
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        37⤵
        
        PID:776
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        38⤵
        
        PID:3572
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        39⤵
        
        PID:4896
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        40⤵
        
        PID:1696
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        41⤵
        
        PID:1360
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        42⤵
        
        PID:2384
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        43⤵
        
        PID:2132
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        44⤵
        
        PID:1464
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        45⤵
        
        PID:3028
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        46⤵
        
        PID:1948
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        47⤵
        
        PID:2368
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        48⤵
        
        PID:3560
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        49⤵
        
        PID:4940
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        50⤵
        
        PID:4752
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        51⤵
        
        PID:4812
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        52⤵
        
        PID:1060
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        53⤵
        
        PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
163B

MD5
a07d02acd1419393ac6c458ae2303294

SHA1
8b362eb36e78f533809899c4c9a40523678dcc35

SHA256
df943261e82cc92f26b4c5ee59703adefc1bbdef05079db2bab15e4a5720290a

SHA512
379671215ab023ecb157d1da0ded2c80bb59bb388a4b88a86eb6248c5977e432616a563264792659cb38e0df4bd48e3d0081a1dcc9c63f9a8a5ad73f72885616

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
f6eea31fbeb042a411defc6d089848c3

SHA1
0e7c44666fa5359b07b44f01f0334f4a39aaa949

SHA256
c5063b6da42d81bcc08e8db97cfd643537798c82235bfae1ecefab86c1d890b0

SHA512
c2c8359e4a8efb62dc53137b5bd9bfe9dccbde2dc43af61f4eaec37444a5ce3d02fabcea28eb9eb3c38885f10b49781930395c39ed9afdc38fd28ba740e5c47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
b895aca6082fa8473b36a4f420c9ccdc

SHA1
1e6fe9a7341f241dfedabb9c0be14a0384dc3382

SHA256
bb716bc174bbee0e77dfcd3ac0050e78a856538b81ef07a7626b7c6442f6b596

SHA512
843ef93c3024596b12ed102a07600987189b1f4e2347cd1961dd9e28be7930edc2ef9c115fc8bbcd122ced07d62228f4ed65e822600cd7fc85d6e064e3491a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
cce3cd05806fd09001e3f3b51253c8db

SHA1
5d58de23cd010a58af9003b5962b457a32307bb1

SHA256
7c37bf56fde846ef0a44c410e86c0ed8a786264e7e91c6767f9874bad48d3606

SHA512
3603b179f9d995eb2ae12299e182212246e43b33414b287cca72f44028afc39f97deb19a696b6d285a111a6ae2c91b032a7d08636cb183e16dbdee4a43261e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
9b8277197b42df8da11f8359c32e3e6c

SHA1
2edcb88e1775454aff21d74297a7a396da526d70

SHA256
6db0a82fe3408153e9d0c4a2ae43c1f7be378264dca147bccba576ca3617d9d5

SHA512
c8908eca53ce29b531ca4a60e584fdd547a5f9c43e7b57fc7657b54bf5e97cf86c10838156ce8c6943986e22d73ca9699d1117c94d5778621837a45c7a6c31c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1wmi4ezl.thp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\Seven.dll

Filesize
1.3MB

MD5
aeb701a9583902897e1677fe2dcc6c86

SHA1
4ef27b369d36b3a7b28d4814015203255a325854

SHA256
e4ea46499fffad7ca2c2b25ff097ebdbf3219ce861f287887f4ee77b30912ee0

SHA512
80bf58d6cc11d6e65008d28c2cc001692356c364d1488e885c29f55db82ccdbbc8ac23a8a77b8154e5167dd894d0bf169986cc76f6b5a27b04393a45fe89a25a

Download Submit
C:\Windows\System32\Seven.runtimeconfig.json

Filesize
340B

MD5
253333997e82f7d44ea8072dfae6db39

SHA1
03b9744e89327431a619505a7c72fd497783d884

SHA256
28329cf08f6505e73806b17558b187c02f0c1c516fe47ebfb7a013d082aaa306

SHA512
56d99039e0fb6305588e9f87361e7e0d5051507bf321ba36619c4d29741f35c27c62f025a52523c9e1c7287aabf1533444330a8cdf840fa5af0fa2241fcb4fc2

Download Submit
C:\Windows\System32\Winhost.exe

Filesize
139KB

MD5
350273e0d2e8a9ba5e37b791016112a0

SHA1
5bfb616dd46f67d1dcbbff55ca5917ffc1ec8b71

SHA256
27297bf8139bea755e9297e7e1489d827d1ee09a8e1d94a3ef96a2edb2de61ba

SHA512
b1e768524b4e840bd5f4163205122dd1725583245d8bfd5cbd89eb21a5fb9d33aff1b7b0ca42132b7dae469e025068ae663b3b02ad59927a558dc340141ec91b

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.420

Filesize
380KB

MD5
c8aece77818159218057ad5273239cdd

SHA1
2ad1b98bdcbcc589be043cd502e116a1b51e5996

SHA256
03dc7920d5361a110acec63fd3d48cd65945ce40140f8e5f1831666294985a1c

SHA512
a5017ebe84028899701f289ba8438ce55319915d5836aa95aa9a69d0bb7d9591a8b6f63d4da6d6e459a9302193127eeb295ce503f820b420e97aeeda094479e7

Download Submit
C:\vcredist2010_x64.log.html.420

Filesize
86KB

MD5
45c4ee9266ba19bd10f98a38ce894b89

SHA1
95f91eab621baff6874e0bb186d21f4beec789c4

SHA256
a0603f76399b04f091321641bd1380b6535c1d0b9db0611e84328d4c17128edb

SHA512
ff4034035eb763cf21d472a0e2cef711963ad86475d0202e5a2f4e13b05dac70b71c308798619478dd093fbede6c88e8ec3601a1ca9e6c0a6601ab03d226f743

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.420

Filesize
394KB

MD5
1ad9d6ffe2f4b71746d518a9ce32ca73

SHA1
be612aab55f23257596951c90e4a7874b18f912e

SHA256
a8cdce408388a965e8a8f4cd368d2daa9240d9fbe0f2a20ac698ce343217fd37

SHA512
49e9c8731293e700d8acc33f7674db986682e2975c77cb93554b7f020787fd2de8f768c381f10f683e4c1aad7380e1dd14a6e6a9024c521e4e014c66270326ce

Download Submit
C:\vcredist2010_x86.log.html.420

Filesize
81KB

MD5
b8a5b1462ff9ce6a27eb693aba744c41

SHA1
d9cce0c00680d73e01e5db434cd0b2836829c1cf

SHA256
db62fa1a5b29895a0598b9067e7f7f522da41b80dc5067672e41b7c2bc079ac7

SHA512
f353889a2117a2eb1d644b65512d86d681fa03282a7666239d628232af5f545de0c46a6e78701c5bf6896f9c09d0b51c1918a1bde60545651c018b00ff10d4a5

Download Submit
C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.420

Filesize
168KB

MD5
7178d975a52db75859546380389317b2

SHA1
868b19675177fc7e66018efae93e9508b52ae81c

SHA256
8df3031aec8792ae0000106256316d7809c363688f0889fc792a0ebe73413faa

SHA512
73621cbc999e42bbcbb396ea663a972542f21de90ec9a9fa79d9a4d3770e1a545b36d79521d65582006111f273b846194289d5eca0ca1d97e2b2048cfbdeb9a6

Download Submit
C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.420

Filesize
195KB

MD5
4ea0ad36b82179c0e08d395672f577e2

SHA1
99a7aa43a1dcb178b5fb73ea17f74209dd763bb1

SHA256
baea262c4bca8c7de255781b5657bb5c31c39d020bf231e584bf49ed51ad8677

SHA512
af248d390ddef6e2d707799383769b6cecf9b1a07b28845daeb6a613f344b3f42f235f1087f1e112ef6774975bfe2f69e15ff7d0f3561b2b3d4ec7eb5405baec

Download Submit
C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.420

Filesize
171KB

MD5
ad2cc14d7f2367c1dd893d1a42243b03

SHA1
60cf27795a6647b28d19b2d00d92c922575ddd03

SHA256
01fb40e1c7a72ae17ad46f27ab61366f74fd3133e20a550d341d09c2304412f5

SHA512
9f6adc453e7013b1eb4e633f66b9f7522efaafe6f522f027db71194aa98c9b7122eed4d7b57f66d1d17785e472136f856676f3777ba38f01c6f31b88f5c6bc75

Download Submit
C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.420

Filesize
208KB

MD5
41e6fb9880580d5d3a6d73be7446d0c9

SHA1
4f81f53e3345846bde8e9c263bfa87baa264191d

SHA256
7528c3bfa6e6bf555126d94c510aed0bcfeca48fc8edd983ce5568785514f9d3

SHA512
3720bc8704e0eecf079a48dff7f1ece0bc003ea7f45d35c9e82fd8f2422112a5371e70f88ccd14c40a22a9cd4281eca49ef21fe26c44128ca5ac86f56ceceafc

Download Submit
C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.420

Filesize
170KB

MD5
c524a4d2d98c84abee530214978ac6b7

SHA1
aee1e5cd61b60186b2639dd3c770b86204e44536

SHA256
129e79ebde2c216b103e742302547b45f7d722b1c3d1722b86526a20b2bb6650

SHA512
f5a24625fe6f023de6e070532da73fe5db2d775fb286a06afad0d63c4a3b2d2e708d1b7ae52cfda69c472d8e96124a712bf952db4384641c6a5a9b6a30e3fb91

Download Submit
C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.420

Filesize
190KB

MD5
9393125498821a5f41a870020b4bcf58

SHA1
01565ce1be36dc37557978bb3d6f418acb97c372

SHA256
3e97c3497a0b3a6ac48c0d08a48a7d2085a184c9d15ae8633213d6a491f51f6c

SHA512
e553ebba834309b8f044c68335ee53f1ff81c6b2b6a741373a9ae5c048da7947db83a738d6c270bb2bc536379185947087a8b30f174e7620cb674a618456a93f

Download Submit
C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.420

Filesize
170KB

MD5
69d91c31cb0197ff48de22aa35a29170

SHA1
8f1688aeb9e78bfebf20f353cebcfd5f325705cb

SHA256
d87b143af759fb7633007da3128e9cd1a313602c7490a7923fbf80390d40fd22

SHA512
71c6be4bc34d59f6626820c5a81fe4603196015a748c450a953bd51a2e8cf868c972a8a36d72806f0db918594480fc77cbdadf701dcd1a11ce33b92dde577a97

Download Submit
C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.420

Filesize
198KB

MD5
0e81b23a28bba79e83fb1faf9adab2b1

SHA1
1b35832e2bd4949bd499a8625d26c8a07caf1ff6

SHA256
4242ead00ba527d75922eb0b3474b4fe52940134414d0493211ab2aa62207c71

SHA512
7353f49df6e2d39e2fe6ae010f2eaf2dd3ea15aa59cac1170dc8ed87aff50a56d8be788ca3bf88e7d41409787af2c5f67a07fd01bcc0a7f5d548e991c45a17dd

Download Submit
C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.420

Filesize
123KB

MD5
a53306f01e8de43f584fe4e94472c3ee

SHA1
fbb6cb0404544ad43ee2bb53858340ada3fc911d

SHA256
57c37893d6adfd88cd9865b8bdeec61745fe1e01a57840431fbd4955bf44d079

SHA512
2c72c6a20ac40e0a3e01d15004c7db07653f9f00db5f4fae8757e1bb64721085d1065cf00ab18dce7814ec1388933b95dd2acc7815dfbf4a71c989886f5db2be

Download Submit
C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.420

Filesize
129KB

MD5
294f6d340c54ef973a923e8a425da0cd

SHA1
cdac0c9714117c35e3631f9e335d45a2425339cc

SHA256
e6802363de97c407d3cdca310e17e1ec21f4f0095da31e4b1e3277e608485b6a

SHA512
bdbd07d45480576223d38314d68721def2ab7b45ccac040662bf89c354f4c3bde58db452a63d20dbdc0c2954ab633b4cddd8920bb3984f1e2eb5a0f66db2d82a

Download Submit
C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.420

Filesize
123KB

MD5
e5fcc0a7e7fdc639fec06d84d4eaa130

SHA1
07aa9f63521e24fc1d17c42bb9ff226711ec82cf

SHA256
b023d3e715387050e168c9c5f4ea82b74430ac540ab214ad6ca6790ef3d20d6a

SHA512
e1822c99a49ebdba21a43e6b09259bfecf970be865ef9dd6be3fd10a14d2c991bffacbb9da3e899929dbeaa9c494ac9ce2a7bdb718aae4522baaec5fff93ef2d

Download Submit
C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log.420

Filesize
135KB

MD5
3f76ec37382620b26f2ab1de2c36eb41

SHA1
69cc25c0b8cad6a45c41cf0360aafdf670f88036

SHA256
3f43f34b2cdcbfb81f82105807188799e51a1566c04d4a1ff28f9bb42d787ce7

SHA512
14aac10848ee3f421c02800b9402bd80af6278c0bb421a818221f06f25dbe0d72cddd1e11cffcf27d7b539260fe29cf8d5ad2fab758d8af9dbb30a640c75a72f

Download Submit
memory/3104-13-0x000001A934A80000-0x000001A934A90000-memory.dmp

Filesize
64KB

Download
memory/3104-16-0x00007FFE4D640000-0x00007FFE4E102000-memory.dmp

Filesize
10.8MB

Download
memory/3104-10-0x00007FFE4D640000-0x00007FFE4E102000-memory.dmp

Filesize
10.8MB

Download
memory/3104-12-0x000001A934A80000-0x000001A934A90000-memory.dmp

Filesize
64KB

Download
memory/3104-9-0x000001A934A50000-0x000001A934A72000-memory.dmp

Filesize
136KB

Download
memory/3104-11-0x000001A934A80000-0x000001A934A90000-memory.dmp

Filesize
64KB

Download