f1662149f835cfa5fe3e22df52987ea04474a122577af31adf04223cededf43d

Analysis

max time kernel
64s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
30/04/2024, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Seven.exe
Size

139KB
MD5

350273e0d2e8a9ba5e37b791016112a0
SHA1

5bfb616dd46f67d1dcbbff55ca5917ffc1ec8b71
SHA256

27297bf8139bea755e9297e7e1489d827d1ee09a8e1d94a3ef96a2edb2de61ba
SHA512

b1e768524b4e840bd5f4163205122dd1725583245d8bfd5cbd89eb21a5fb9d33aff1b7b0ca42132b7dae469e025068ae663b3b02ad59927a558dc340141ec91b
SSDEEP

3072:miS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJd8ltw:miS4ompB9S3BZi0a1G78IVhcTct

Score

10^/10

evasion ransomware spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Seven.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Seven.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe

Renames multiple (246) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocks application from running via registry modification 1 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Seven.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Seven.exe

Deletes itself 1 IoCs

pid	Process
2824	Winhost.exe

Executes dropped EXE 64 IoCs

pid	Process
2824	Winhost.exe
2296	Winhost.exe
4576	Winhost.exe
1048	Winhost.exe
3492	Winhost.exe
2540	Winhost.exe
1488	Winhost.exe
4892	Winhost.exe
3144	Winhost.exe
2324	Winhost.exe
3252	Winhost.exe
3368	Winhost.exe
1336	Winhost.exe
792	Winhost.exe
3436	Winhost.exe
4548	Winhost.exe
3132	Winhost.exe
1832	Winhost.exe
1488	Winhost.exe
3964	Winhost.exe
4272	Winhost.exe
2900	Winhost.exe
2356	Winhost.exe
4200	Winhost.exe
3160	Winhost.exe
3764	Winhost.exe
2788	Winhost.exe
1952	Winhost.exe
3216	Winhost.exe
5052	Winhost.exe
1480	Winhost.exe
3156	Winhost.exe
696	Winhost.exe
4996	Winhost.exe
4360	Winhost.exe
1172	Winhost.exe
2872	Winhost.exe
2084	Winhost.exe
1900	Winhost.exe
2000	Winhost.exe
1360	Winhost.exe
1696	Winhost.exe
3764	Winhost.exe
3460	Winhost.exe
2764	Winhost.exe
2836	Winhost.exe
4028	Winhost.exe
3736	Winhost.exe
2020	Winhost.exe
1632	Winhost.exe
2064	Winhost.exe
3584	Winhost.exe
3528	Winhost.exe
4768	Winhost.exe
2428	Winhost.exe
1940	Winhost.exe
864	Winhost.exe
2700	Winhost.exe
4780	Winhost.exe
1988	Winhost.exe
2732	Winhost.exe
4312	Winhost.exe
2924	Winhost.exe
3468	Winhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Seven.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Winhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
1	raw.githubusercontent.com

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\System32\Seven.runtimeconfig.json	cmd.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Seven.dll	attrib.exe
File opened for modification	C:\Windows\System32\Seven.runtimeconfig.json	cmd.exe
File opened for modification	C:\Windows\System32\Seven.dll	cmd.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\System32\Seven.dll	cmd.exe
File opened for modification	C:\Windows\System32\Winhost.exe	attrib.exe
File opened for modification	C:\Windows\System32\Seven.runtimeconfig.json	attrib.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\System32\Winhost.exe	cmd.exe
File opened for modification	C:\Windows\System32\Winhost.exe	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 5 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpiuro41.tmp"	Seven.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpm542ii.tmp"	Winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpcunvba.tmp"	Winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpehznj0.tmp"	Winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpqkly3b.tmp"	Winhost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3440	powershell.exe
3440	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3440	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 3440	4276	Seven.exe	80
PID 4276 wrote to memory of 3440	4276	Seven.exe	80
PID 4276 wrote to memory of 3628	4276	Seven.exe	82
PID 4276 wrote to memory of 3628	4276	Seven.exe	82
PID 4276 wrote to memory of 1944	4276	Seven.exe	83
PID 4276 wrote to memory of 1944	4276	Seven.exe	83
PID 4276 wrote to memory of 480	4276	Seven.exe	84
PID 4276 wrote to memory of 480	4276	Seven.exe	84
PID 4276 wrote to memory of 1336	4276	Seven.exe	85
PID 4276 wrote to memory of 1336	4276	Seven.exe	85
PID 4276 wrote to memory of 1628	4276	Seven.exe	86
PID 4276 wrote to memory of 1628	4276	Seven.exe	86
PID 4276 wrote to memory of 1536	4276	Seven.exe	87
PID 4276 wrote to memory of 1536	4276	Seven.exe	87
PID 4276 wrote to memory of 2212	4276	Seven.exe	88
PID 4276 wrote to memory of 2212	4276	Seven.exe	88
PID 4276 wrote to memory of 652	4276	Seven.exe	89
PID 4276 wrote to memory of 652	4276	Seven.exe	89
PID 4276 wrote to memory of 3096	4276	Seven.exe	90
PID 4276 wrote to memory of 3096	4276	Seven.exe	90
PID 4276 wrote to memory of 4116	4276	Seven.exe	91
PID 4276 wrote to memory of 4116	4276	Seven.exe	91
PID 4276 wrote to memory of 4996	4276	Seven.exe	92
PID 4276 wrote to memory of 4996	4276	Seven.exe	92
PID 4276 wrote to memory of 3248	4276	Seven.exe	93
PID 4276 wrote to memory of 3248	4276	Seven.exe	93
PID 4276 wrote to memory of 1128	4276	Seven.exe	94
PID 4276 wrote to memory of 1128	4276	Seven.exe	94
PID 4276 wrote to memory of 2900	4276	Seven.exe	95
PID 4276 wrote to memory of 2900	4276	Seven.exe	95
PID 1128 wrote to memory of 1036	1128	cmd.exe	96
PID 1128 wrote to memory of 1036	1128	cmd.exe	96
PID 4116 wrote to memory of 2560	4116	cmd.exe	97
PID 4116 wrote to memory of 2560	4116	cmd.exe	97
PID 2900 wrote to memory of 2824	2900	cmd.exe	98
PID 2900 wrote to memory of 2824	2900	cmd.exe	98
PID 4996 wrote to memory of 4156	4996	cmd.exe	99
PID 4996 wrote to memory of 4156	4996	cmd.exe	99
PID 3248 wrote to memory of 2372	3248	cmd.exe	101
PID 3248 wrote to memory of 2372	3248	cmd.exe	101
PID 1628 wrote to memory of 4964	1628	cmd.exe	102
PID 1628 wrote to memory of 4964	1628	cmd.exe	102
PID 1336 wrote to memory of 3092	1336	cmd.exe	103
PID 1336 wrote to memory of 3092	1336	cmd.exe	103
PID 2824 wrote to memory of 2296	2824	Winhost.exe	104
PID 2824 wrote to memory of 2296	2824	Winhost.exe	104
PID 2296 wrote to memory of 4576	2296	Winhost.exe	107
PID 2296 wrote to memory of 4576	2296	Winhost.exe	107
PID 4576 wrote to memory of 1048	4576	Winhost.exe	109
PID 4576 wrote to memory of 1048	4576	Winhost.exe	109
PID 1048 wrote to memory of 3492	1048	Winhost.exe	111
PID 1048 wrote to memory of 3492	1048	Winhost.exe	111
PID 3492 wrote to memory of 2540	3492	Winhost.exe	113
PID 3492 wrote to memory of 2540	3492	Winhost.exe	113
PID 2540 wrote to memory of 1488	2540	Winhost.exe	115
PID 2540 wrote to memory of 1488	2540	Winhost.exe	115
PID 1488 wrote to memory of 4892	1488	Winhost.exe	117
PID 1488 wrote to memory of 4892	1488	Winhost.exe	117
PID 4892 wrote to memory of 3144	4892	Winhost.exe	144
PID 4892 wrote to memory of 3144	4892	Winhost.exe	144
PID 3144 wrote to memory of 2324	3144	Winhost.exe	146
PID 3144 wrote to memory of 2324	3144	Winhost.exe	146
PID 2324 wrote to memory of 3252	2324	Winhost.exe	148
PID 2324 wrote to memory of 3252	2324	Winhost.exe	148

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4156	attrib.exe
2372	attrib.exe
3092	attrib.exe
4964	attrib.exe
1036	attrib.exe
2560	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Seven.exe
"C:\Users\Admin\AppData\Local\Temp\Seven.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3440
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Admin\AppData\Local\Temp\Winhost.exe
  2⤵
  PID:3628
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Windows\System32\Winhost.exe
  2⤵
  - Drops file in System32 directory
  PID:1944
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Public\Documents\Winhost.exe
  2⤵
  PID:480
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Winhost.exe
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:3092
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Winhost.exe
    3⤵
    - Views/modifies file attributes
    PID:4964
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Windows\System32\Seven.dll
  2⤵
  - Drops file in System32 directory
  PID:1536
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Users\Public\Documents\Seven.dll
  2⤵
  PID:2212
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Windows\System32\Seven.runtimeconfig.json
  2⤵
  - Drops file in System32 directory
  PID:652
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Users\Public\Documents\Seven.runtimeconfig.json
  2⤵
  PID:3096
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Seven.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Seven.dll
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2560
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Seven.runtimeconfig.json
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Seven.runtimeconfig.json
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:4156
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Seven.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Seven.dll
    3⤵
    - Views/modifies file attributes
    PID:2372
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Seven.runtimeconfig.json
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Seven.runtimeconfig.json
    3⤵
    - Views/modifies file attributes
    PID:1036
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C start C:\Users\Admin\AppData\Local\Temp\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
    C:\Users\Admin\AppData\Local\Temp\Winhost.exe
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Sets desktop wallpaper using registry
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
      "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
      4⤵
      Executes dropped EXE
      Sets desktop wallpaper using registry
      Suspicious use of WriteProcessMemory
      PID:2296
    - - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4576
      - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        13⤵
        Executes dropped EXE
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        14⤵
        Executes dropped EXE
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        15⤵
        Executes dropped EXE
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        16⤵
        Executes dropped EXE
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        17⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        18⤵
        Executes dropped EXE
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        19⤵
        Executes dropped EXE
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        20⤵
        Executes dropped EXE
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        21⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        22⤵
        Executes dropped EXE
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        23⤵
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        24⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        25⤵
        Executes dropped EXE
        
        PID:2356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        26⤵
        Executes dropped EXE
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        27⤵
        Executes dropped EXE
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        28⤵
        Executes dropped EXE
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        29⤵
        Executes dropped EXE
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        30⤵
        Executes dropped EXE
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        31⤵
        Executes dropped EXE
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        32⤵
        Executes dropped EXE
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        33⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        34⤵
        Executes dropped EXE
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        35⤵
        Executes dropped EXE
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        36⤵
        Executes dropped EXE
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        37⤵
        Executes dropped EXE
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        38⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        39⤵
        Executes dropped EXE
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        40⤵
        Executes dropped EXE
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        41⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        42⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        43⤵
        Executes dropped EXE
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        44⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        45⤵
        Executes dropped EXE
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        46⤵
        Executes dropped EXE
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        47⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        48⤵
        Executes dropped EXE
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        49⤵
        Executes dropped EXE
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        50⤵
        Executes dropped EXE
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        51⤵
        Executes dropped EXE
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        52⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        53⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        54⤵
        Executes dropped EXE
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        55⤵
        Executes dropped EXE
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        56⤵
        Executes dropped EXE
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        57⤵
        Executes dropped EXE
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        58⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        59⤵
        Executes dropped EXE
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        60⤵
        Executes dropped EXE
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        61⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        62⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        63⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        64⤵
        Executes dropped EXE
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        65⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        66⤵
        Executes dropped EXE
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        67⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        68⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        69⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        70⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        71⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        72⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        73⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        74⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        75⤵
        
        PID:3168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        76⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        76⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        77⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        78⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        79⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        80⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        81⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        82⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        83⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        84⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        85⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        86⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        87⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        88⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        89⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        90⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        91⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        92⤵
        
        PID:3940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        93⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        94⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        95⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        96⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        97⤵
        
        PID:3188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        98⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        98⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        99⤵
        
        PID:4948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        100⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        100⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        101⤵
        
        PID:3224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        102⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        102⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        103⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        104⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        105⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        106⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        107⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        108⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        109⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        110⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        111⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        112⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        113⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        114⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        115⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        116⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        117⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        118⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        119⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        120⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        121⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        122⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        123⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        124⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        125⤵
        
        PID:1628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        126⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        126⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        127⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        128⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        129⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        130⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        131⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        132⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        133⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        134⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        135⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        136⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        137⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        138⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        139⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        140⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        141⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        142⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        143⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        144⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        145⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        146⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        147⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        148⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        149⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        150⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        151⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        152⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        153⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        154⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        155⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        156⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        157⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        158⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        159⤵
        
        PID:2228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        160⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        160⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        161⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        162⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        163⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        164⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        165⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        166⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        167⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        168⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        169⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        170⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        171⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        172⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        173⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        174⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        175⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        176⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        177⤵
        
        PID:4560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        178⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        178⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        179⤵
        
        PID:1556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        180⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        180⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        181⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        182⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        183⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        184⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        185⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        186⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        187⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        188⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        189⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        190⤵
        
        PID:1136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        191⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        192⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        193⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        194⤵
        
        PID:2468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        195⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        196⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        197⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        198⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        199⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        200⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        201⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        202⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        203⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        204⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        205⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        206⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        207⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        208⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        209⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        210⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        211⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        212⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        213⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        214⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        215⤵
        
        PID:5008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        216⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        216⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        217⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        218⤵
        
        PID:2856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        219⤵
        
        PID:4980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        220⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        220⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        221⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        222⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        223⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        224⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        225⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        226⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        227⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        228⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        229⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        230⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        231⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        232⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        233⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        234⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        235⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        236⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        237⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        238⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        239⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        240⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        241⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        242⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        243⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        244⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        245⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        246⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        247⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        248⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        249⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        250⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        251⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        252⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        253⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        254⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        255⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        256⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        257⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        258⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        259⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        260⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        261⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        262⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        263⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        264⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        265⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        266⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        267⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        268⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        269⤵
        
        PID:248
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        270⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        271⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        272⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        273⤵
        
        PID:2036

C:\Windows\System32\Winhost.exe
C:\Windows\System32\Winhost.exe
1⤵
- Drops file in System32 directory
PID:2924
- C:\Windows\System32\Winhost.exe
  "C:\Windows\System32\Winhost.exe"
  2⤵
  - Drops file in System32 directory
  PID:480
- - C:\Windows\System32\Winhost.exe
    "C:\Windows\System32\Winhost.exe"
    3⤵
    PID:4012
  - - C:\Windows\System32\Winhost.exe
      "C:\Windows\System32\Winhost.exe"
      4⤵
      PID:1384
    - - C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        5⤵
        
        PID:2224
      - C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        6⤵
        
        PID:3424
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        7⤵
        
        PID:3716
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        8⤵
        
        PID:3992
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        9⤵
        
        PID:3160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:4312
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        10⤵
        
        PID:4132
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        11⤵
        
        PID:1796
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        12⤵
        
        PID:3780
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        13⤵
        
        PID:456
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        14⤵
        
        PID:2680
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        15⤵
        
        PID:2268
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        16⤵
        
        PID:4956
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        17⤵
        
        PID:1088
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        18⤵
        
        PID:3384
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        19⤵
        
        PID:4800
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        20⤵
        
        PID:5096
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        21⤵
        
        PID:5104
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        22⤵
        
        PID:3164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:2268
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        23⤵
        
        PID:4392
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        24⤵
        
        PID:3792
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        25⤵
        
        PID:4924
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        26⤵
        
        PID:3320
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        27⤵
        
        PID:4872
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        28⤵
        
        PID:2140
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        29⤵
        
        PID:3236
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        30⤵
        
        PID:2968
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        31⤵
        
        PID:4000
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        32⤵
        
        PID:2068
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        33⤵
        
        PID:1480
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        34⤵
        
        PID:392
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        35⤵
        
        PID:2192
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        36⤵
        
        PID:1672
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        37⤵
        
        PID:3788
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        38⤵
        
        PID:5096
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        39⤵
        
        PID:2860
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        40⤵
        
        PID:4792
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        41⤵
        
        PID:3772
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        42⤵
        
        PID:1136
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        43⤵
        
        PID:4344
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        44⤵
        
        PID:2828
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        45⤵
        
        PID:236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:3884
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        46⤵
        
        PID:456
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        47⤵
        
        PID:2812
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        48⤵
        
        PID:3412
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        49⤵
        
        PID:2972
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        50⤵
        
        PID:2376
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        51⤵
        
        PID:1360
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        52⤵
        
        PID:2964
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        53⤵
        
        PID:3992
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        54⤵
        
        PID:3168
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        55⤵
        
        PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
147B

MD5
47b3aa37d1e8ac0fc3ead74dc55d3a20

SHA1
8770c92adb3eb1656cf84f859000eb8836abb299

SHA256
5698818137d0118056fff51ec0287ed26f4201e586280aa13843b29807941c6b

SHA512
d9d379a035282ec01b7c5f368a3167e7f18b3af59ecfff4128372ac529825bbe78bce05780f63b65735716fddeb4359495ae5baf4fcb2bf8712d00188eed57a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
64B

MD5
85be0246fe206bddc86a6f9dafcb07e4

SHA1
ad8e2b11bf201c4de9201268f258072b7c17d7a0

SHA256
1aeadac0222735922d2f7b4f34c12efd4189d89d9ddbb18ba69077b22a048a6e

SHA512
39fc8cf4632b41e38269cd4980053d29465613bf97920733be1266b9fd0d90de9ab62fee5dfd98ccb45b4c65fa39e22bcea0eb6d6bd4b236dca6a86fe37686fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
64B

MD5
134e6256beba4c3f1f34ed455b571710

SHA1
545ab7ff43edcd6c1df93965ce6c7d9b926aba6b

SHA256
6b260ef220a74d8698077fe0ea45466c04e53a01eece2713694093cc671df9a7

SHA512
e366ab12d316ac965b6c711a5ac77441356038175e9dd16c8d2113769bb61ab031a9f9ed0f29c87d2db2b720b273f5ecaf94ed44b4725ccf3b680fbc0349e816

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
291de6651b3bfd2abd3288dea9c97982

SHA1
affdf22efc22e424446b89d36170683172caba4c

SHA256
44cdf9f2ec4d8fd08cb3de5de688e0c8e44a8983a5f004a766fc6f7db10bbfc7

SHA512
7e1861963b5854a92a876561c708819b813ff1ca8dfff0a329baa24a8b83de56e76674a9cd7c26ba83b20f2abd9be1cf7abd2867e49844a6fed8f34a14bf72b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
0fde655694e5edef8ddd0c6441f66fa5

SHA1
39ef8826b15fb19ddbc533c399425b4f01c0edaf

SHA256
6dae98d68b9ef12bfe3a2413fc49f16674cf79941c1c5ba6d33a7deffbd7d25e

SHA512
b3457c9be9ce6a5975a97a6cc92ce416ea8a196866308207946bc05ab2ca97c399cefb17356cf773b1820fc6f1fc9d7a4c487d81eccf0beaeb083857843a5b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
5acb74503ac9cf43a0e2fa3ca0b2f446

SHA1
ff60b4ad3e0b8b762f7e1efc9efdd265391b6d8d

SHA256
285c1cf068ff428154c83e331765cfd7137bcb708b51e82e099e63e736ccdce7

SHA512
492e42281f92ee7a4826f4a40f4027ea43c59cb66269ba319287c792b7377d676acee7ff47671f4a6aea4401fe1318f948739b3f7faa90cec6d7a7d0f89b17d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Winhost.exe

Filesize
139KB

MD5
350273e0d2e8a9ba5e37b791016112a0

SHA1
5bfb616dd46f67d1dcbbff55ca5917ffc1ec8b71

SHA256
27297bf8139bea755e9297e7e1489d827d1ee09a8e1d94a3ef96a2edb2de61ba

SHA512
b1e768524b4e840bd5f4163205122dd1725583245d8bfd5cbd89eb21a5fb9d33aff1b7b0ca42132b7dae469e025068ae663b3b02ad59927a558dc340141ec91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hupvkoav.qkl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpqkly3b.tmp

Filesize
187KB

MD5
893b1b77cb2fab0d42b0ce43d30a1d67

SHA1
3b18999fbd622e364f9f1de33ae5a120ad1df3fb

SHA256
a8b9c649d5d7217bd3249433a9d67162bcc9c1cf4b7a71dffa2fe773c4307d07

SHA512
073a99535e8aa3cec853ada0f8f14ffb4fe9d7d9175b77f3db569471953c8afbec58a57d3ee613959e188d337fedb4cc7ec2310977da8210eea1dab1658ea6c9

Download Submit
C:\Users\Public\Documents\Seven.dll

Filesize
1.3MB

MD5
c911e21fe70e167d8f9bee1703415553

SHA1
c892220ff96d2d5816a3c3e6a0247620450fa7ed

SHA256
03a644a944153208259729776d6a0b32cd9016d8a8087757430c6c8f32865af5

SHA512
784790551beccdf1db88ddcb7e7bd59a6d796742f753e69e4125698a09f60f0af64918a3746f714aa9f506ab276a50bdbe492e458481f2c9d7925dfea57dfbd7

Download Submit
C:\Windows\System32\Seven.runtimeconfig.json

Filesize
340B

MD5
253333997e82f7d44ea8072dfae6db39

SHA1
03b9744e89327431a619505a7c72fd497783d884

SHA256
28329cf08f6505e73806b17558b187c02f0c1c516fe47ebfb7a013d082aaa306

SHA512
56d99039e0fb6305588e9f87361e7e0d5051507bf321ba36619c4d29741f35c27c62f025a52523c9e1c7287aabf1533444330a8cdf840fa5af0fa2241fcb4fc2

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.420

Filesize
379KB

MD5
df81977a9f650c7c83c0edb4ba5a0c83

SHA1
05ef1847f9f764342ec04041224b8fe0093d66c8

SHA256
3b5b10e8476f6ea8efee8f552f1515fa5aa5272fb65c5098a1824ca88fec87e3

SHA512
1d6e14a33bdd40afc0912755edb4b12ad181ba21a94eb51915cf2bb04668a2781a31ac65d7c7f35d07679a283ca34a2452c6cba5cd94c5f9903a4ca935fe2ba1

Download Submit
C:\vcredist2010_x64.log.html.420

Filesize
86KB

MD5
364b59ee326a9716746e41b3c1cfb4a1

SHA1
43a4b5d4c29d257ea7de77de7bf306bf91568193

SHA256
b9857a7ca30d9b3e4a11ac4c7f650eae338710c0f835d3737e7c4f0c8019c504

SHA512
dfc3031b11c6de6abf3ac18c2fd6a3b25dde639ef87c12dad8985104e9cd3e3cbf2e0f09cadf6e377e7e0eb50b9ca9f2b594e2cf75f0b788ff57339575e29516

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.420

Filesize
394KB

MD5
2dd4ec3649f7edfa7246408edd86f7c6

SHA1
24defda6e4be5371c17960b95b6300bfd597e917

SHA256
58608e2978fe8335b9ae50064a7dbf9e323df6cec0912bc0d9b7b2594ee1ccd1

SHA512
185b64a7a5f8b1175405641571f30627cef7e9cb821b1f1514683dbf6630d40c4f9d44c3ead0043a4352c1a651498fb1395818afd8d075f4175e82015cfa5016

Download Submit
C:\vcredist2010_x86.log.html.420

Filesize
80KB

MD5
fde95cf3bd9db65ee2cfe5b5e9e22e8c

SHA1
08f1d3e6744f701d6d62fbb9ea45324cea3cf991

SHA256
d540ebec552099bff8e0f344b3d4efbb14002d66305f90a2d5c16cfcadc7bd52

SHA512
1f9e29e95e5ee5054b8ebe71a83864365320bdb6cc155d216078d1041dd2aae99da9ab56d6dd3896e797b72cbbdd712798c6badf2c63ea595317dfcf54be073b

Download Submit
C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.420

Filesize
167KB

MD5
d416e2a6f471da52841ab705f58d3e90

SHA1
8b2e962ee7de3f06ee89934f1e86191af46935bb

SHA256
b072575d8c35cda68bbf7799fd4855f553d85e0cb94e67218b97921a2a3e309b

SHA512
9493236abb7c46dd4b9b1728bc042ed089b66f8aa306307d40174495f69a0914a869c449d4dc7a66542956e6d46accc1e676ea1ad2463cbf61c783b7e2173f46

Download Submit
C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.420

Filesize
195KB

MD5
a81e7e991243c792853daf38030df525

SHA1
a14a62c231c5f3db92f55236f3cab406b0a9d126

SHA256
be01499601a27ef46049692d51452711ac1e99369f8cf2a016e9e06d58336422

SHA512
4b737a210197e1e75bc5206260ab784d8652490bb57d4b3d590bf4ba1ab72dd9de760c33903a09494d457656eddeb485be8bd20ffd7057d076633ff26c03c617

Download Submit
C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.420

Filesize
170KB

MD5
73d26ba581d6cd1acf71f25be6d4c9b1

SHA1
9e920f84b0875558b8052d3156a36a1903c457b5

SHA256
225d3124d491d4572c03c5d69d89475612a3656907d08296d931a15b0ab4e606

SHA512
225204889e482795f5650b207f9a7cc23fbe1bcb6a35767f13344e08cad3b27253bc2d01c1d8ed9d579d873e12b2e714aceff5a84492aca196042198e6679d8b

Download Submit
C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.420

Filesize
208KB

MD5
5aaaffbd28b703fdd8e7b7ccdab3d1ae

SHA1
865a0df7c24b2fde15105bcc9068d25995ee1857

SHA256
f3a8c5f306c6e50d469e1ae14cead193399257a5a8bc7197853811659f766bf5

SHA512
4d3090969e39b8160ef38f456946b927090858ab439b3cd629e014ade87af293ea787334ac4182fd23f93b05d922ab2433ae6461db173ad4f0ad13c8fcaf0637

Download Submit
C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.420

Filesize
170KB

MD5
2773fcac6f96edfcc0ee741f1020a69b

SHA1
5b1f5066c5198ec679e024a7b03e5d94123cbde3

SHA256
b041eb693eadf20936fd7bcd71307ceade8519aaacda36adbeb5d68be1a23c2f

SHA512
6735e7e7f4e69a59cf6c84e3f6fc8e2fc101b85bb7c18e8dada0ea9473f7d27cc2e44669822988bf26f5da5eb87474d97213eb4265dd991f2a87d939bdad59f9

Download Submit
C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.420

Filesize
190KB

MD5
b07f2a9ae165c8dff2f1b60c23ae68a0

SHA1
ce8728e3512204504fb535d05fc9607de5d505b8

SHA256
497ce3e2febd0db80295ab6467490f2b4c8ffb92806c3ede04c75bc17a799b8e

SHA512
b4847e228af1d598bbfb6bbe55bc27996afd35dde32f5cfdf812fc20bd3906970814141383bd95dc46f183fee754cedcf3a2ee01c2f2247c66693e68307eb7fe

Download Submit
C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.420

Filesize
170KB

MD5
420c01f4e44178b8380955c9a902a014

SHA1
4beb027543f1a606818aba016d9704318755c255

SHA256
7b29509d070fc124fd0693417637460c52bd149dafb83b0e0ddc86ad33709dc7

SHA512
9a55d9019368df2e4d660791a545320b7c132e17f75259802a70600d8bd936db7de3ec43c5c02a8f39cb20974d87e7a678c069d2fa264c183d9443ff1342655c

Download Submit
C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.420

Filesize
198KB

MD5
2586ff96a3ac9cb4b4da757e491b589f

SHA1
f087a04914a295a86b5ff8e3c6283688ab6736e7

SHA256
9e4130c0438d443c472bd7ce6e3bc3f75e27249a338efe4b4ad6b29903e9d7b5

SHA512
0b83f8a04876c1866d33bdc1d75b86224c676c4e8d364f32fe79bbbd97578e3835e4ce7b6bf261fbc80c3bb204805dfbe7b08d0c45d1b0c4c487195ae30b39e0

Download Submit
C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.420

Filesize
123KB

MD5
86b7f55f9ed04bb87c5af9fbc7a4c9cf

SHA1
5149d955cb02fd79ac9f527884c6df9e6cdcfebb

SHA256
c956947c20b62eb278ffca419c3c9fbbaa00952ded0bff52e2bdd4ea732831b1

SHA512
6e5e5aaaeb3c2884e72df1d73be5fa64dde138e025c809ce71bf7ed9c4ec38caa8c62e409fdbcd6a5e5c7466ee556de562efdbacffe4acb7aae0451c12705d8e

Download Submit
C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.420

Filesize
129KB

MD5
b5261b34c5a08f1acdcf9858c6bb0660

SHA1
a596497cc71ee066b34a0d90a4921f4c15cc8c2b

SHA256
f0a1d616ea6292811fa9bd8d2a516bc4d7b40ba2a97fb2416d8121432dc71cfa

SHA512
079cd4b9fad5d91769666163efd0979fdb6bcecbddb29735d93d07ae2d3cced8fb901071ea7240de6a01be9c8451fd7887f89fd17c03e5f25bcc99a158fda6a8

Download Submit
C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.420

Filesize
123KB

MD5
801711e5aa17c29e7da568d7096a0e1b

SHA1
f3aa1ebf1380112874bca72c7375359d9ca62962

SHA256
30bafb0b992da09986266b80f845b30295141a773a25bb4825c8b67922ce8100

SHA512
4892481a4eaf922b54c1dfc976e1af29870b7765d666ecc001b60b15dfbc82de13b659426a6bc2f4bf537f6fe7d538196de2947c68b21ca7623e29ff332ffd96

Download Submit
C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log.420

Filesize
135KB

MD5
8d7829c3660e047a10eef359aeb8ad12

SHA1
d5dfd1a44a97e7d95b716860959b89d711e22da0

SHA256
d0f870f56aff7182aeb67f38b932dcc4b130f4af337907ed979347e4ee8ddf3b

SHA512
5f826a35662b8471ea14c155f25d21296956fc967f9275926be11b89e366427bc28b7388b670b1f0fbe330fc1d1fa548733bb33547da41585fde318bf36751bd

Download Submit
memory/3440-14-0x0000026F75E40000-0x0000026F75E50000-memory.dmp

Filesize
64KB

Download
memory/3440-17-0x00007FFB13D70000-0x00007FFB14832000-memory.dmp

Filesize
10.8MB

Download
memory/3440-10-0x00007FFB13D70000-0x00007FFB14832000-memory.dmp

Filesize
10.8MB

Download
memory/3440-11-0x0000026F75E40000-0x0000026F75E50000-memory.dmp

Filesize
64KB

Download
memory/3440-12-0x0000026F75E40000-0x0000026F75E50000-memory.dmp

Filesize
64KB

Download
memory/3440-13-0x0000026F75E40000-0x0000026F75E50000-memory.dmp

Filesize
64KB

Download
memory/3440-9-0x0000026F76150000-0x0000026F76172000-memory.dmp

Filesize
136KB

Download