quasar | a700c208e84d5427566a321f204bce16f8b7d5a3655bd76b6637920f46289172

Analysis

max time kernel
4s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Timsistem_Product_Specifications - 2020.07.16.exe
Size

740KB
MD5

bf7fe4334d0b4363d70bd997460588a3
SHA1

dcba20338c5dbde13a8189f0d154e3d650cca99c
SHA256

bbf62b7d87429bb832abb5c8f37635c05be6724eaab9afd13a7780595919f3a2
SHA512

be3739a91180dfc1c391045fe2f9a27be3303f6a8c042cee8af7c0bca73483768c33dd806a464a7fdee1b4203135b1fde132a3edc86bd3122ba83f4b993ac4fa
SSDEEP

12288:E1bl3SKiQ9X5M1EL6GgmV5hT82Hnb6tY1CoO4SOSWGbz3hLkbLvhu:OVoQ9EWe23Q0b6tYbO4e3t

Score

10^/10

quasar alexia-station spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Alexia-Station

79.134.225.69:4782

Mutex

QSR_MUTEX_UR8lkLH1hfB8BFkqFf

Attributes

encryption_key
gO53Ewkmsbtfm9kB1s5G
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java Update
subdirectory
SubDir

Signatures

Quasar RAT 4 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

schtasks.exe

pid process

2216 schtasks.exe
10 ip-api.com
61 ip-api.com
91 ip-api.com

pid	process
2216	schtasks.exe
10	ip-api.com
61	ip-api.com
91	ip-api.com

Quasar payload 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4504-20-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4504-19-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4504-23-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4504-22-0x0000000000E20000-0x0000000000E82000-memory.dmp	family_quasar
behavioral2/memory/4504-21-0x0000000000E20000-0x0000000000E82000-memory.dmp	family_quasar
behavioral2/memory/4368-94-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/536-74-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/536-72-0x0000000000E20000-0x0000000000E82000-memory.dmp	family_quasar
behavioral2/memory/4504-48-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/536-96-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4368-103-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/5088-115-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/3816-158-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4596-146-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4596-175-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/3616-301-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4360-306-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/1612-328-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4900-349-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/5108-359-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4832-401-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4040-400-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/1368-425-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4976-442-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4900-466-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/116-464-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/2320-486-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/3652-535-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4860-537-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/1048-559-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/864-512-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4344-599-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4476-614-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/116-581-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4040-573-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/3316-494-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4832-491-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4976-639-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/864-652-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4608-668-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/744-719-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/2320-726-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4496-684-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/3652-644-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/3616-357-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/1368-275-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/3816-256-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4344-755-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4476-748-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/3728-772-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/1004-771-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/5088-204-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/5108-196-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/3932-788-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/1048-787-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/3672-823-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4796-838-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/1048-845-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4248-862-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/2840-883-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/4496-887-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/1728-895-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/3088-891-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar
behavioral2/memory/2656-924-0x0000000000400000-0x00000000004D0000-memory.dmp	family_quasar

Drops startup file 3 IoCs

Processes:

notepad.exenotepad.exenotepad.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update.vbs	notepad.exe

Executes dropped EXE 20 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
3532	svchost.exe
4504	svchost.exe
1784	svchost.exe
4880	svchost.exe
2668	svchost.exe
536	svchost.exe
3484	svchost.exe
4528	svchost.exe
4368	svchost.exe
2684	svchost.exe
852	svchost.exe
2180	svchost.exe
5088	svchost.exe
64	svchost.exe
1864	svchost.exe
4596	svchost.exe
3032	svchost.exe
660	svchost.exe
3816	svchost.exe
4644	svchost.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4504-20-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/4504-19-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/4504-23-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/4504-18-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/4504-12-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/5088-115-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/3816-158-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/1048-559-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/1004-622-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/1728-895-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/2200-940-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/2864-956-0x0000000000400000-0x00000000004D0000-memory.dmp	upx

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ip-api.com
61 ip-api.com
91 ip-api.com

flow	ioc
10	ip-api.com
61	ip-api.com
91	ip-api.com

Drops file in System32 directory 6 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe:ZoneIdentifier:$DATA	svchost.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\SubDir\svchost.exe:ZoneIdentifier:$DATA	svchost.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process	target process
PID 3532 set thread context of 4504	3532	svchost.exe	svchost.exe
PID 2668 set thread context of 536	2668	svchost.exe	svchost.exe
PID 4528 set thread context of 4368	4528	svchost.exe	svchost.exe
PID 2180 set thread context of 5088	2180	svchost.exe	svchost.exe
PID 1864 set thread context of 4596	1864	svchost.exe	svchost.exe
PID 660 set thread context of 3816	660	svchost.exe	svchost.exe

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4636	schtasks.exe
5132	schtasks.exe
4776	schtasks.exe
2540	schtasks.exe
5900	schtasks.exe
6648
1212	schtasks.exe
2740	schtasks.exe
5940	schtasks.exe
5768	schtasks.exe
6920	schtasks.exe
4108	schtasks.exe
1480	schtasks.exe
5300	schtasks.exe
4080	schtasks.exe
2272	schtasks.exe
2316	schtasks.exe
1560	schtasks.exe
2740	schtasks.exe
4308	schtasks.exe
1436	schtasks.exe
6744	schtasks.exe
1488	schtasks.exe
7044	schtasks.exe
2216	schtasks.exe
1792	schtasks.exe
7160	schtasks.exe
2640	schtasks.exe
6876	schtasks.exe
3140	schtasks.exe
2216	schtasks.exe
1348	schtasks.exe
7956	schtasks.exe
1584	schtasks.exe
852	schtasks.exe
2812	schtasks.exe
5520
1448	schtasks.exe
5360	schtasks.exe
2888	schtasks.exe
5336	schtasks.exe
4608	schtasks.exe

NTFS ADS 3 IoCs

Processes:

notepad.exenotepad.exenotepad.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe:ZoneIdentifier	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe:ZoneIdentifier	notepad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Timsistem_Product_Specifications - 2020.07.16.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
2808	Timsistem_Product_Specifications - 2020.07.16.exe
2808	Timsistem_Product_Specifications - 2020.07.16.exe
3532	svchost.exe
3532	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
4880	svchost.exe
4880	svchost.exe
1784	svchost.exe
1784	svchost.exe
2668	svchost.exe
2668	svchost.exe
3484	svchost.exe
3484	svchost.exe
3484	svchost.exe
3484	svchost.exe
4528	svchost.exe
4528	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
3484	svchost.exe
3484	svchost.exe
3484	svchost.exe
3484	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
2684	svchost.exe
3484	svchost.exe
3484	svchost.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid process

3532 svchost.exe
2668 svchost.exe
4528 svchost.exe
2180 svchost.exe
1864 svchost.exe
660 svchost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description pid process

Token: SeDebugPrivilege 4504 svchost.exe
Token: SeDebugPrivilege 4368 svchost.exe
Token: SeDebugPrivilege 5088 svchost.exe

description	pid	process
Token: SeDebugPrivilege	4504	svchost.exe
Token: SeDebugPrivilege	4368	svchost.exe
Token: SeDebugPrivilege	5088	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Timsistem_Product_Specifications - 2020.07.16.exenotepad.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exenotepad.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process	target process
PID 2808 wrote to memory of 3748	2808	Timsistem_Product_Specifications - 2020.07.16.exe	svchost.exe
PID 2808 wrote to memory of 3748	2808	Timsistem_Product_Specifications - 2020.07.16.exe	svchost.exe
PID 2808 wrote to memory of 3748	2808	Timsistem_Product_Specifications - 2020.07.16.exe	svchost.exe
PID 2808 wrote to memory of 3748	2808	Timsistem_Product_Specifications - 2020.07.16.exe	svchost.exe
PID 2808 wrote to memory of 3748	2808	Timsistem_Product_Specifications - 2020.07.16.exe	svchost.exe
PID 3748 wrote to memory of 3532	3748	notepad.exe	svchost.exe
PID 3748 wrote to memory of 3532	3748	notepad.exe	svchost.exe
PID 3748 wrote to memory of 3532	3748	notepad.exe	svchost.exe
PID 3532 wrote to memory of 4504	3532	svchost.exe	svchost.exe
PID 3532 wrote to memory of 4504	3532	svchost.exe	svchost.exe
PID 3532 wrote to memory of 4504	3532	svchost.exe	svchost.exe
PID 3532 wrote to memory of 1784	3532	svchost.exe	svchost.exe
PID 3532 wrote to memory of 1784	3532	svchost.exe	svchost.exe
PID 3532 wrote to memory of 1784	3532	svchost.exe	svchost.exe
PID 4504 wrote to memory of 2216	4504	svchost.exe	schtasks.exe
PID 4504 wrote to memory of 2216	4504	svchost.exe	schtasks.exe
PID 4504 wrote to memory of 2216	4504	svchost.exe	schtasks.exe
PID 4504 wrote to memory of 4880	4504	svchost.exe	svchost.exe
PID 4504 wrote to memory of 4880	4504	svchost.exe	svchost.exe
PID 4504 wrote to memory of 4880	4504	svchost.exe	svchost.exe
PID 4880 wrote to memory of 3068	4880	svchost.exe	notepad.exe
PID 4880 wrote to memory of 3068	4880	svchost.exe	notepad.exe
PID 4880 wrote to memory of 3068	4880	svchost.exe	notepad.exe
PID 4880 wrote to memory of 3068	4880	svchost.exe	notepad.exe
PID 4880 wrote to memory of 3068	4880	svchost.exe	notepad.exe
PID 1784 wrote to memory of 2668	1784	svchost.exe	svchost.exe
PID 1784 wrote to memory of 2668	1784	svchost.exe	svchost.exe
PID 1784 wrote to memory of 2668	1784	svchost.exe	svchost.exe
PID 2668 wrote to memory of 536	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 536	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 536	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 3484	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 3484	2668	svchost.exe	svchost.exe
PID 2668 wrote to memory of 3484	2668	svchost.exe	svchost.exe
PID 3068 wrote to memory of 4528	3068	notepad.exe	svchost.exe
PID 3068 wrote to memory of 4528	3068	notepad.exe	svchost.exe
PID 3068 wrote to memory of 4528	3068	notepad.exe	svchost.exe
PID 4528 wrote to memory of 4368	4528	svchost.exe	svchost.exe
PID 4528 wrote to memory of 4368	4528	svchost.exe	svchost.exe
PID 4528 wrote to memory of 4368	4528	svchost.exe	svchost.exe
PID 4528 wrote to memory of 2684	4528	svchost.exe	svchost.exe
PID 4528 wrote to memory of 2684	4528	svchost.exe	svchost.exe
PID 4528 wrote to memory of 2684	4528	svchost.exe	svchost.exe
PID 4368 wrote to memory of 4080	4368	svchost.exe	svchost.exe
PID 4368 wrote to memory of 4080	4368	svchost.exe	svchost.exe
PID 4368 wrote to memory of 4080	4368	svchost.exe	svchost.exe
PID 4368 wrote to memory of 852	4368	svchost.exe	svchost.exe
PID 4368 wrote to memory of 852	4368	svchost.exe	svchost.exe
PID 4368 wrote to memory of 852	4368	svchost.exe	svchost.exe
PID 3484 wrote to memory of 2180	3484	svchost.exe	svchost.exe
PID 3484 wrote to memory of 2180	3484	svchost.exe	svchost.exe
PID 3484 wrote to memory of 2180	3484	svchost.exe	svchost.exe
PID 852 wrote to memory of 1844	852	svchost.exe	notepad.exe
PID 852 wrote to memory of 1844	852	svchost.exe	notepad.exe
PID 852 wrote to memory of 1844	852	svchost.exe	notepad.exe
PID 852 wrote to memory of 1844	852	svchost.exe	notepad.exe
PID 852 wrote to memory of 1844	852	svchost.exe	notepad.exe
PID 2180 wrote to memory of 5088	2180	svchost.exe	svchost.exe
PID 2180 wrote to memory of 5088	2180	svchost.exe	svchost.exe
PID 2180 wrote to memory of 5088	2180	svchost.exe	svchost.exe
PID 2180 wrote to memory of 64	2180	svchost.exe	svchost.exe
PID 2180 wrote to memory of 64	2180	svchost.exe	svchost.exe
PID 2180 wrote to memory of 64	2180	svchost.exe	svchost.exe
PID 2684 wrote to memory of 1864	2684	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\Timsistem_Product_Specifications - 2020.07.16.exe
"C:\Users\Admin\AppData\Local\Temp\Timsistem_Product_Specifications - 2020.07.16.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
2⤵
- Drops startup file
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3748

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3532

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
5⤵
- Quasar RAT
- Creates scheduled task(s)
PID:2216

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
6⤵
- Drops startup file
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4528

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:4080

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
10⤵
- Drops startup file
- NTFS ADS
PID:1844

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:660

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
12⤵
- Executes dropped EXE
PID:3816

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:2740

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
13⤵
PID:3084

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
14⤵
PID:1528

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
15⤵
PID:2432

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
16⤵
PID:3616

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3616 240619875
16⤵
PID:812

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
17⤵
PID:3624

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
18⤵
PID:4832

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4832 240621796
18⤵
PID:2216

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
19⤵
PID:1972

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
20⤵
PID:3652

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3652 240624921
20⤵
PID:3780

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
21⤵
PID:1864

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
22⤵
PID:3088

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3088 240628578
22⤵
PID:1096

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
23⤵
PID:3828

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
24⤵
PID:2656

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2656 240634093
24⤵
PID:4848

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
25⤵
PID:1008

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
26⤵
PID:2104

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2104 240640171
26⤵
PID:3032

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
27⤵
PID:5356

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
28⤵
PID:2648

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2648 240647718
28⤵
PID:5700

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
29⤵
PID:5032

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
30⤵
PID:5036

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5036 240652000
30⤵
PID:5804

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:6108

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:5776

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5776 240660890
32⤵
PID:2740

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:5836

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:1272

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1272 240671781
34⤵
PID:748

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:6244

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:2760

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2760 240682421
36⤵
PID:7032

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:2140

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:3648

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3648 240695531
38⤵
PID:6824

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:2640

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:1212

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1212 240711812
40⤵
PID:6720

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
41⤵
PID:6832

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
42⤵
PID:5416

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5416 240733515
42⤵
PID:3660

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
43⤵
PID:6672

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
44⤵
PID:7248

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 7248 240754015
44⤵
PID:1456

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3816 240617062
12⤵
- Executes dropped EXE
PID:4644

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
13⤵
PID:4192

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
14⤵
PID:1368

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:1448

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
15⤵
PID:1436

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
16⤵
PID:4460

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
17⤵
PID:1732

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
18⤵
PID:116

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 116 240623375
18⤵
PID:3484

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
19⤵
PID:1220

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
20⤵
PID:1004

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1004 240627046
20⤵
PID:4204

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
21⤵
PID:1844

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
22⤵
PID:4796

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4796 240631343
22⤵
PID:3024

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
23⤵
PID:2640

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
24⤵
PID:1044

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1044 240636250
24⤵
PID:4340

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
25⤵
PID:3428

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
26⤵
PID:3948

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3948 240642593
26⤵
PID:436

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
27⤵
PID:5756

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
28⤵
PID:2256

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2256 240651515
28⤵
PID:5524

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
29⤵
PID:3620

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
30⤵
PID:2252

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2252 240659687
30⤵
PID:5344

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:3532

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:5484

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5484 240669671
32⤵
PID:64

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:6680

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:6988

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6988 240680375
34⤵
PID:7112

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:6732

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:6912

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6912 240693046
36⤵
PID:4296

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:6368

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:5148

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5148 240706718
38⤵
PID:5228

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:736

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:6352

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6352 240722921
40⤵
PID:2808

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
41⤵
PID:6584

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
42⤵
PID:2184

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2184 240740250
42⤵
PID:4220

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1368 240619734
14⤵
PID:3672

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
15⤵
PID:4308

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
16⤵
PID:4976

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:1212

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
17⤵
PID:5068

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
18⤵
PID:4788

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
19⤵
PID:4924

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
20⤵
PID:4496

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4496 240628453
20⤵
PID:3504

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
21⤵
PID:1176

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
22⤵
PID:1728

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:4636

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
23⤵
PID:2144

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
24⤵
PID:3008

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
25⤵
PID:2028

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
26⤵
PID:5212

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5212 240643343
26⤵
PID:5240

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
27⤵
PID:2180

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
28⤵
PID:5984

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5984 240652671
28⤵
PID:5844

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
29⤵
PID:5668

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
30⤵
PID:2948

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:5768

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
31⤵
PID:5936

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
32⤵
PID:4180

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:5480

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:2436

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2436 240677546
34⤵
PID:2184

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:5056

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:6532

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6532 240689125
36⤵
PID:2668

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:6212

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:6464

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
39⤵
- Creates scheduled task(s)
PID:7044

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
39⤵
PID:3676

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
40⤵
PID:6932

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
41⤵
PID:6456

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
42⤵
PID:2932

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2932 240719015
42⤵
PID:2120

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
43⤵
PID:5740

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
44⤵
PID:6616

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6616 240736875
44⤵
PID:1072

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
45⤵
PID:6692

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6464 240700359
38⤵
PID:4836

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:5980

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:4940

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4940 240718031
40⤵
PID:5780

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
41⤵
PID:3556

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
42⤵
PID:6504

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6504 240735515
42⤵
PID:6656

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
43⤵
PID:876

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
44⤵
PID:5860

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5860 240753781
44⤵
PID:5436

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2948 240660531
30⤵
PID:5268

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:1628

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:5676

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:6744

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
33⤵
PID:5672

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
34⤵
PID:1448

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:6412

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:5692

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5692 240690609
36⤵
PID:4224

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:1624

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:3312

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3312 240702312
38⤵
PID:3512

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:1700

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:3640

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3640 240715390
40⤵
PID:1200

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
41⤵
PID:6208

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
42⤵
PID:2540

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2540 240732093
42⤵
PID:2748

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
43⤵
PID:1120

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
44⤵
PID:6564

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6564 240750171
44⤵
PID:6476

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5676 240676421
32⤵
PID:5680

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:6792

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:3880

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3880 240690000
34⤵
PID:5076

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:5712

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:5400

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5400 240702312
36⤵
PID:5180

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:5132

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:7084

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 7084 240716765
38⤵
PID:6568

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:7068

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:2468

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2468 240732312
40⤵
PID:5492

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
41⤵
PID:5952

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
42⤵
PID:6984

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6984 240750515
42⤵
PID:7292

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1728 240633921
22⤵
PID:2676

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
23⤵
PID:3968

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
24⤵
PID:5328

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5328 240643656
24⤵
PID:5384

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
25⤵
PID:2932

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
26⤵
PID:3272

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3272 240651484
26⤵
PID:5956

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
27⤵
PID:5316

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
28⤵
PID:6024

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6024 240660203
28⤵
PID:5788

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
29⤵
PID:5760

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
30⤵
PID:6112

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6112 240670093
30⤵
PID:900

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:6888

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:6360

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6360 240681562
32⤵
PID:6544

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:2920

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:6948

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
35⤵
- Creates scheduled task(s)
PID:5336

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
35⤵
PID:5476

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
36⤵
PID:6536

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:6440

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:4448

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4448 240714875
38⤵
PID:3660

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:6576

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:7128

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 7128 240733328
40⤵
PID:5920

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
41⤵
PID:4316

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
42⤵
PID:2012

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2012 240751546
42⤵
PID:8068

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6948 240694437
34⤵
PID:7112

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:5500

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:3780

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3780 240714312
36⤵
PID:6376

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:5080

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:212

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 212 240731421
38⤵
PID:1716

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:8112

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:5728

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5728 240749531
40⤵
PID:7884

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4976 240623187
16⤵
PID:2104

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
17⤵
PID:1216

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
18⤵
PID:4608

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:2740

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
19⤵
PID:1712

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
20⤵
PID:4676

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
21⤵
PID:2868

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
22⤵
PID:1972

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:5360

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
23⤵
PID:5628

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
24⤵
PID:5800

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
25⤵
PID:5924

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
26⤵
PID:6096

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6096 240646250
26⤵
PID:1744

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
27⤵
PID:5028

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
28⤵
PID:6064

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6064 240652031
28⤵
PID:3472

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
29⤵
PID:2932

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
30⤵
PID:4192

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4192 240662140
30⤵
PID:5256

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:5768

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:1444

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1444 240670500
32⤵
PID:5548

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:6448

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:5796

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
35⤵
- Creates scheduled task(s)
PID:1488

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
35⤵
PID:408

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
36⤵
PID:6628

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:6476

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:3044

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
39⤵
- Creates scheduled task(s)
PID:5900

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
39⤵
PID:2952

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
40⤵
PID:6756

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
41⤵
PID:5132

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
42⤵
PID:4080

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4080 240723343
42⤵
PID:1448

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
43⤵
PID:4260

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
44⤵
PID:5408

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5408 240740656
44⤵
PID:1032

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3044 240702781
38⤵
PID:5896

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:4252

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:6108

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6108 240723062
40⤵
PID:5424

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
41⤵
PID:5476

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
42⤵
PID:6056

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6056 240738171
42⤵
PID:6596

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
43⤵
PID:7544

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5796 240683062
34⤵
PID:5360

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:2976

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:2232

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2232 240702515
36⤵
PID:6692

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:4764

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:2500

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2500 240717187
38⤵
PID:6616

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:2316

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:3244

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3244 240735515
40⤵
PID:6980

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
41⤵
PID:7600

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
42⤵
PID:7360

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1972 240636078
22⤵
PID:4204

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
23⤵
PID:5844

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
24⤵
PID:5912

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5912 240645937
24⤵
PID:5976

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
25⤵
PID:1508

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
26⤵
PID:5456

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5456 240651875
26⤵
PID:4412

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
27⤵
PID:5324

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
28⤵
PID:5620

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5620 240659687
28⤵
PID:5504

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
29⤵
PID:3068

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
30⤵
PID:5340

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5340 240670796
30⤵
PID:3300

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:5848

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:6580

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6580 240681843
32⤵
PID:6596

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:6884

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:6000

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6000 240692781
34⤵
PID:5836

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:6268

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:4536

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4536 240704937
36⤵
PID:6352

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:6804

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:4336

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4336 240721000
38⤵
PID:5336

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:4916

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:4552

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4552 240739921
40⤵
PID:4700

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4608 240628343
18⤵
PID:1396

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
19⤵
PID:2984

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
20⤵
PID:2664

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2664 240635953
20⤵
PID:1176

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
21⤵
PID:1224

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
22⤵
PID:3228

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3228 240642328
22⤵
PID:4408

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
23⤵
PID:4648

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
24⤵
PID:5236

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5236 240651609
24⤵
PID:5184

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
25⤵
PID:5064

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
26⤵
PID:1028

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1028 240660140
26⤵
PID:6084

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
27⤵
PID:4700

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
28⤵
PID:532

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 532 240672734
28⤵
PID:1200

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
29⤵
PID:5392

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
30⤵
PID:5808

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5808 240683859
30⤵
PID:3192

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:1860

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:6544

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6544 240696968
32⤵
PID:6864

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:6484

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:5028

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5028 240710984
34⤵
PID:5612

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:5768

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:6848

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6848 240728015
36⤵
PID:7004

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:6392

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:7756

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 7756 240745828
38⤵
PID:7796

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4368 240615609
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1864

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
10⤵
- Executes dropped EXE
PID:4596

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4596 240616765
10⤵
- Executes dropped EXE
PID:3032

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
11⤵
PID:3008

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
12⤵
PID:5108

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:2812

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
13⤵
PID:3748

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
14⤵
PID:3192

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
15⤵
PID:4180

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
16⤵
PID:4860

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4860 240622312
16⤵
PID:4988

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
17⤵
PID:4628

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
18⤵
PID:1048

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:2272

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
19⤵
PID:1952

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
20⤵
PID:3956

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
21⤵
PID:3928

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
22⤵
PID:2840

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2840 240632937
22⤵
PID:748

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
23⤵
PID:2848

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
24⤵
PID:4080

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4080 240638093
24⤵
PID:2648

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
25⤵
PID:5576

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
26⤵
PID:5660

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5660 240644937
26⤵
PID:5672

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
27⤵
PID:5144

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
28⤵
PID:5664

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5664 240651593
28⤵
PID:5920

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
29⤵
PID:5896

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
30⤵
PID:5904

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5904 240659109
30⤵
PID:5140

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:6004

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:5708

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:6920

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
33⤵
PID:4120

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
34⤵
PID:6556

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:3036

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:5464

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5464 240687187
36⤵
PID:5600

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:6332

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:6684

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6684 240698203
38⤵
PID:1176

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:1436

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:792

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 792 240712406
40⤵
PID:6664

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
41⤵
PID:6748

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
42⤵
PID:3196

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3196 240730109
42⤵
PID:3484

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
43⤵
PID:7720

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
44⤵
PID:7820

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 7820 240746156
44⤵
PID:7932

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5708 240668906
32⤵
PID:1504

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:5836

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:6428

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6428 240686593
34⤵
PID:6940

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:3400

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:6060

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6060 240700000
36⤵
PID:6456

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:4968

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:7148

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 7148 240713625
38⤵
PID:7036

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:6968

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:5188

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5188 240731703
40⤵
PID:7036

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
41⤵
PID:2388

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
42⤵
PID:7996

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 7996 240749765
42⤵
PID:6332

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1048 240625546
18⤵
PID:1440

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
19⤵
PID:208

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
20⤵
PID:4248

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:2316

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
21⤵
PID:4988

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
22⤵
PID:2632

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
23⤵
PID:1528

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
24⤵
PID:4460

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4460 240640687
24⤵
PID:748

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
25⤵
PID:4808

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
26⤵
PID:5016

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5016 240648312
26⤵
PID:5628

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
27⤵
PID:64

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
28⤵
PID:3108

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3108 240652375
28⤵
PID:2500

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
29⤵
PID:6012

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
30⤵
PID:2180

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2180 240661296
30⤵
PID:5324

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:5924

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:4240

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4240 240670843
32⤵
PID:4288

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:6672

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:6928

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6928 240680359
34⤵
PID:7080

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:5084

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:1296

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1296 240692515
36⤵
PID:5952

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:2848

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:5836

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5836 240706421
38⤵
PID:5524

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:3680

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:6216

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6216 240722296
40⤵
PID:2204

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
41⤵
PID:2768

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
42⤵
PID:3612

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3612 240741859
42⤵
PID:4224

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4248 240632328
20⤵
PID:3276

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
21⤵
PID:1128

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
22⤵
PID:1684

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1684 240640421
22⤵
PID:4988

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
23⤵
PID:6072

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
24⤵
PID:5556

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:4776

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
25⤵
PID:5868

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
26⤵
PID:3776

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
27⤵
PID:2184

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
28⤵
PID:6104

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6104 240660390
28⤵
PID:1952

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
29⤵
PID:5908

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
30⤵
PID:6016

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6016 240669171
30⤵
PID:5260

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:6660

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:7064

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 7064 240680546
32⤵
PID:3556

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:5844

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:1680

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1680 240693343
34⤵
PID:5164

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:7008

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:4992

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4992 240707046
36⤵
PID:1560

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:6804

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:1036

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1036 240724000
38⤵
PID:2192

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:1644

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:4872

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4872 240743640
40⤵
PID:1812

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5556 240649265
24⤵
PID:5840

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
25⤵
PID:3140

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
26⤵
PID:384

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 384 240660234
26⤵
PID:2316

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
27⤵
PID:4120

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
28⤵
PID:5280

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5280 240669921
28⤵
PID:1912

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
29⤵
PID:6788

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
30⤵
PID:6068

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6068 240680781
30⤵
PID:996

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:2140

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:6200

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6200 240692031
32⤵
PID:6564

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:5360

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:5968

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5968 240705093
34⤵
PID:3868

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:3512

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:6852

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6852 240721359
36⤵
PID:5128

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:2364

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:6316

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6316 240737421
38⤵
PID:6552

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:7604

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5108 240618140
12⤵
PID:4936

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
13⤵
PID:2740

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
14⤵
PID:4040

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:4608

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
15⤵
PID:1864

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
16⤵
PID:3140

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
17⤵
PID:5004

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
18⤵
PID:4476

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4476 240626640
18⤵
PID:4596

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
19⤵
PID:2808

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
20⤵
PID:4960

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4960 240631093
20⤵
PID:2332

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
21⤵
PID:2420

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
22⤵
PID:2288

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2288 240636531
22⤵
PID:704

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
23⤵
PID:928

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
24⤵
PID:1224

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1224 240642953
24⤵
PID:852

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
25⤵
PID:5900

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
26⤵
PID:3692

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3692 240652187
26⤵
PID:1952

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
27⤵
PID:6068

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
28⤵
PID:3724

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3724 240659921
28⤵
PID:5992

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
29⤵
PID:1584

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
30⤵
PID:4528

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4528 240669562
30⤵
PID:5492

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:2120

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:5276

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5276 240682828
32⤵
PID:6896

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:6464

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:1968

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1968 240695953
34⤵
PID:232

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:1108

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:7100

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 7100 240708828
36⤵
PID:5824

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:6268

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:4784

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4784 240726281
38⤵
PID:5388

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:5452

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:904

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 904 240744468
40⤵
PID:7200

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4040 240621796
14⤵
PID:3060

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
15⤵
PID:3032

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
16⤵
PID:4344

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4344 240626546
16⤵
PID:2544

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
17⤵
PID:2056

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
18⤵
PID:3672

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3672 240631203
18⤵
PID:1840

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
19⤵
PID:3120

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
20⤵
PID:3188

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3188 240636546
20⤵
PID:1508

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
21⤵
PID:4120

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
22⤵
PID:2572

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2572 240642656
22⤵
PID:1448

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
23⤵
PID:2640

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
24⤵
PID:2924

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:1560

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
25⤵
PID:4968

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
26⤵
PID:5828

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
27⤵
PID:5316

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
28⤵
PID:5624

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5624 240664062
28⤵
PID:5136

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
29⤵
PID:5148

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
30⤵
PID:3940

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3940 240673609
30⤵
PID:5524

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:2372

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:5592

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5592 240683765
32⤵
PID:6436

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:5968

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:216

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 216 240697656
34⤵
PID:7032

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:7028

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:3788

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3788 240713031
36⤵
PID:1844

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:5880

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:4688

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4688 240730703
38⤵
PID:1620

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:748

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:8184

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 8184 240752343
40⤵
PID:3676

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2924 240651265
24⤵
PID:5592

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
25⤵
PID:3120

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
26⤵
PID:5176

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5176 240663656
26⤵
PID:4240

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
27⤵
PID:5240

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
28⤵
PID:5940

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5940 240670843
28⤵
PID:5184

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
29⤵
PID:5880

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
30⤵
PID:2216

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2216 240683578
30⤵
PID:6348

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:4308

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:6372

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6372 240696281
32⤵
PID:900

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:5588

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:6240

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6240 240709468
34⤵
PID:6416

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:3120

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:6160

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
37⤵
- Creates scheduled task(s)
PID:7956

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
37⤵
PID:3828

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
38⤵
PID:6996

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:6432

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:3192

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3192 240749984
40⤵
PID:7664

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6160 240727000
36⤵
PID:5156

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:5500

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:8032

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 8032 240749062
38⤵
PID:8116

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4504 240613656
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2668

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
6⤵
- Executes dropped EXE
PID:536

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 536 240615500
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3484

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:1584

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
9⤵
PID:232

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
10⤵
PID:528

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
11⤵
PID:4080

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
12⤵
PID:1612

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1612 240618656
12⤵
PID:4400

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
13⤵
PID:4864

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
14⤵
PID:4900

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4900 240620953
14⤵
PID:3840

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
15⤵
PID:688

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
16⤵
PID:2320

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:852

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
17⤵
PID:4080

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
18⤵
PID:3864

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
19⤵
PID:3564

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
20⤵
PID:3932

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3932 240630656
20⤵
PID:1796

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
21⤵
PID:3888

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
22⤵
PID:4908

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4908 240636343
22⤵
PID:3016

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
23⤵
PID:1212

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
24⤵
PID:1340

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:5132

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
25⤵
PID:5200

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
26⤵
PID:1364

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
27⤵
PID:5464

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
28⤵
PID:1508

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:1348

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
29⤵
PID:1480

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
30⤵
PID:6012

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:5460

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:5668

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5668 240667906
32⤵
PID:1624

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:232

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:4828

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4828 240678609
34⤵
PID:5772

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:5408

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:2056

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
37⤵
- Creates scheduled task(s)
PID:6876

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
37⤵
PID:6004

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
38⤵
PID:5820

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:4612

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:2420

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2420 240706078
40⤵
PID:4648

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
41⤵
PID:2040

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
42⤵
PID:4640

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4640 240724203
42⤵
PID:6292

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
43⤵
PID:6336

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
44⤵
PID:6024

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6024 240742265
44⤵
PID:5428

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2056 240689750
36⤵
PID:3984

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:6976

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:5188

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5188 240706890
38⤵
PID:372

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:3484

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:4452

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4452 240724437
40⤵
PID:736

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
41⤵
PID:6436

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
42⤵
PID:6724

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6724 240741546
42⤵
PID:6248

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1508 240656890
28⤵
PID:5856

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
29⤵
PID:3008

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
30⤵
PID:4916

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4916 240667703
30⤵
PID:4132

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:3696

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:6100

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:2888

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
33⤵
PID:3552

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
34⤵
PID:2976

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:3420

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:1864

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1864 240692515
36⤵
PID:6748

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:6180

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:6420

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6420 240705656
38⤵
PID:5988

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:3596

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:5480

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5480 240723218
40⤵
PID:6436

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
41⤵
PID:7060

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
42⤵
PID:7092

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 7092 240740812
42⤵
PID:3680

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6100 240678250
32⤵
PID:3008

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:7096

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:5688

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5688 240692890
34⤵
PID:7092

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:4924

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:6276

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6276 240706218
36⤵
PID:6328

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:6632

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:5684

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5684 240723953
38⤵
PID:4308

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:4816

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:4408

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4408 240742156
40⤵
PID:4916

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1340 240643109
24⤵
PID:1348

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
25⤵
PID:5744

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
26⤵
PID:660

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 660 240656265
26⤵
PID:3784

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
27⤵
PID:3776

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
28⤵
PID:5804

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:1436

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
29⤵
PID:6244

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
30⤵
PID:6292

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:6424

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:6636

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:2540

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
33⤵
PID:7100

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
34⤵
PID:4692

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:6612

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:3260

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3260 240699593
36⤵
PID:4328

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:7060

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:6128

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6128 240715500
38⤵
PID:5740

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:6944

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:5880

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5880 240732546
40⤵
PID:6300

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
41⤵
PID:4596

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
42⤵
PID:7976

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 7976 240752046
42⤵
PID:8028

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6636 240679937
32⤵
PID:6712

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:2488

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:5384

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5384 240697562
34⤵
PID:6124

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:6708

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:1108

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1108 240712312
36⤵
PID:5860

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:2984

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:4644

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4644 240730390
38⤵
PID:5004

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:7768

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:7988

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 7988 240746546
40⤵
PID:8152

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5804 240666875
28⤵
PID:2868

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
29⤵
PID:6340

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
30⤵
PID:6460

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6460 240679718
30⤵
PID:6508

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:4992

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:1528

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1528 240690921
32⤵
PID:1032

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:6276

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:5680

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5680 240703750
34⤵
PID:2708

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:1584

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:3400

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
37⤵
- Creates scheduled task(s)
PID:5300

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
37⤵
PID:6536

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
38⤵
PID:4308

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:2344

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:7072

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 7072 240743937
40⤵
PID:6904

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3400 240720890
36⤵
PID:5756

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:232

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:2884

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2884 240743796
38⤵
PID:2100

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2320 240623937
16⤵
PID:1500

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
17⤵
PID:2812

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
18⤵
PID:3728

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:2216

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
19⤵
PID:3032

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
20⤵
PID:1364

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
21⤵
PID:1128

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
22⤵
PID:2988

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2988 240639281
22⤵
PID:3244

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
23⤵
PID:5896

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
24⤵
PID:6132

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6132 240646359
24⤵
PID:2676

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
25⤵
PID:6012

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
26⤵
PID:3564

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3564 240651703
26⤵
PID:5788

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
27⤵
PID:5240

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
28⤵
PID:2432

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:4308

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
29⤵
PID:2956

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
30⤵
PID:636

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:5896

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:3364

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3364 240672671
32⤵
PID:5056

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:6700

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:4416

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4416 240684296
34⤵
PID:6308

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:2388

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:2740

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2740 240696187
36⤵
PID:6764

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:6180

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:6324

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6324 240710750
38⤵
PID:6424

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:6456

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:1732

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1732 240727625
40⤵
PID:5136

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
41⤵
PID:7728

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
42⤵
PID:1448

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1448 240747171
42⤵
PID:6304

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2432 240659187
28⤵
PID:1900

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
29⤵
PID:392

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
30⤵
PID:5144

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5144 240673890
30⤵
PID:6124

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:64

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:6688

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6688 240684046
32⤵
PID:6236

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:6924

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:7116

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 7116 240698812
34⤵
PID:6432

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:5672

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:1020

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
37⤵
- Creates scheduled task(s)
PID:4108

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
37⤵
PID:6172

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
38⤵
PID:3736

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:5992

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:6012

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6012 240738984
40⤵
PID:1712

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1020 240715078
36⤵
PID:4916

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:5080

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:3304

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3304 240738625
38⤵
PID:4432

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3728 240630515
18⤵
PID:812

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
19⤵
PID:1448

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
20⤵
PID:896

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:5940

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
21⤵
PID:5200

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
22⤵
PID:5324

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
23⤵
PID:1836

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
24⤵
PID:5936

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5936 240648531
24⤵
PID:5868

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
25⤵
PID:6128

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
26⤵
PID:2332

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2332 240651828
26⤵
PID:6056

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
27⤵
PID:4240

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
28⤵
PID:1540

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1540 240659718
28⤵
PID:5568

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
29⤵
PID:4644

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
30⤵
PID:1008

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1008 240669671
30⤵
PID:4664

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:6312

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:1952

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1952 240681843
32⤵
PID:3744

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:6756

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:3748

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3748 240694343
34⤵
PID:7036

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:5336

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:384

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
37⤵
- Creates scheduled task(s)
PID:7160

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
37⤵
PID:1488

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
38⤵
PID:2668

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:3448

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:1908

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1908 240733265
40⤵
PID:548

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
41⤵
PID:8188

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
42⤵
PID:5488

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5488 240750343
42⤵
PID:5004

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 384 240708062
36⤵
PID:5416

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:3244

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:1900

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1900 240732906
38⤵
PID:4804

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:1624

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:7364

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 7364 240752921
40⤵
PID:7024

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 896 240637843
20⤵
PID:3528

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
21⤵
PID:1028

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
22⤵
PID:1220

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1220 240647406
22⤵
PID:4968

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
23⤵
PID:5632

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
24⤵
PID:4464

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4464 240651312
24⤵
PID:5644

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
25⤵
PID:5828

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
26⤵
PID:6140

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6140 240660015
26⤵
PID:4612

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
27⤵
PID:5612

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
28⤵
PID:3784

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3784 240669703
28⤵
PID:4260

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
29⤵
PID:6532

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
30⤵
PID:6820

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6820 240680156
30⤵
PID:6904

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:6444

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:6844

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6844 240691687
32⤵
PID:5752

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:3424

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:5764

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5764 240706000
34⤵
PID:3888

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:1036

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:1860

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1860 240719968
36⤵
PID:2428

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:5600

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:6732

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6732 240737890
38⤵
PID:4836

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5088 240616656
8⤵
- Executes dropped EXE
PID:64

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
9⤵
PID:4924

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
10⤵
PID:4360

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4360 240618390
10⤵
PID:2272

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
11⤵
PID:3008

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
12⤵
PID:3316

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:3140

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
13⤵
PID:4616

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
14⤵
PID:4432

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
15⤵
PID:2332

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
16⤵
PID:744

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 744 240625265
16⤵
PID:2364

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
17⤵
PID:4528

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
18⤵
PID:4868

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4868 240629531
18⤵
PID:528

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
19⤵
PID:3888

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
20⤵
PID:2200

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2200 240634781
20⤵
PID:4528

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
21⤵
PID:1296

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
22⤵
PID:4848

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4848 240641250
22⤵
PID:4280

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
23⤵
PID:1488

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
24⤵
PID:5224

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5224 240651421
24⤵
PID:5444

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
25⤵
PID:2540

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
26⤵
PID:6080

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6080 240661453
26⤵
PID:5132

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
27⤵
PID:6124

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
28⤵
PID:5516

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5516 240671078
28⤵
PID:4392

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
29⤵
PID:6688

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
30⤵
PID:7000

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 7000 240680421
30⤵
PID:5616

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:6176

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:6696

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6696 240694062
32⤵
PID:5568

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:7048

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:4944

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
35⤵
- Creates scheduled task(s)
PID:1480

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
35⤵
PID:6612

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
36⤵
PID:5880

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:3248

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:4764

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
39⤵
- Creates scheduled task(s)
PID:2640

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
39⤵
PID:7656

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
40⤵
PID:1056

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
41⤵
PID:6624

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
42⤵
PID:988

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 988 240754390
42⤵
PID:1516

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4764 240730000
38⤵
PID:6892

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:2820

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:1620

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1620 240754687
40⤵
PID:8092

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 4944 240706718
34⤵
PID:2140

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:6752

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:6768

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6768 240728093
36⤵
PID:2812

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:5032

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:5332

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5332 240744406
38⤵
PID:6536

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3316 240620703
12⤵
PID:5056

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
13⤵
PID:4908

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
14⤵
PID:864

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 864 240624781
14⤵
PID:904

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
15⤵
PID:4248

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
16⤵
PID:2160

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2160 240628828
16⤵
PID:1400

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
17⤵
PID:4680

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
18⤵
PID:2864

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 2864 240634875
18⤵
PID:3084

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
19⤵
PID:1584

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
20⤵
PID:1128

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 1128 240640984
20⤵
PID:4180

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
21⤵
PID:3684

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
22⤵
PID:3504

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3504 240648750
22⤵
PID:3136

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
23⤵
PID:5908

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
24⤵
PID:5872

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5872 240654250
24⤵
PID:5492

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
25⤵
PID:5716

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
26⤵
PID:5216

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5216 240660015
26⤵
PID:1496

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
27⤵
PID:5900

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
28⤵
PID:6088

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6088 240670859
28⤵
PID:5588

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
29⤵
PID:2740

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
30⤵
PID:6076

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6076 240681187
30⤵
PID:6292

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
31⤵
PID:408

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
32⤵
PID:5296

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Java Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:1792

C:\Windows\SysWOW64\SubDir\svchost.exe
"C:\Windows\SysWOW64\SubDir\svchost.exe"
33⤵
PID:7128

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
34⤵
PID:4924

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:5472

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:7052

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 7052 240710937
36⤵
PID:5012

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:7164

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:6052

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6052 240728703
38⤵
PID:2144

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
39⤵
PID:7880

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
40⤵
PID:3964

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 3964 240747406
40⤵
PID:6828

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5296 240693250
32⤵
PID:4940

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
33⤵
PID:6488

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
34⤵
PID:636

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 636 240710843
34⤵
PID:7048

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
35⤵
PID:3484

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
36⤵
PID:6116

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 6116 240728562
36⤵
PID:3696

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
37⤵
PID:8132

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
38⤵
PID:5828

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" 2 5828 240748140
38⤵
PID:6664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Filesize
1KB

MD5
10eab9c2684febb5327b6976f2047587

SHA1
a12ed54146a7f5c4c580416aecb899549712449e

SHA256
f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

SHA512
7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update.vbs

Filesize
117B

MD5
1e1210e1f4ddf6ef0c8fba38d42fc47d

SHA1
277b28ec9205781e0bb7b83eebebd3a6020d4885

SHA256
be103c639055c00b2f4affc5924292dc638828c496d9dafb171544608dad5944

SHA512
40acb3964bf40743e8ed1175686389197cbde90ae707669c257683bd7d553db8bb43e300b8ac79c238929ff6c015d79c10316064ad211e00d2deb7127625810e

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe

Filesize
740KB

MD5
bf7fe4334d0b4363d70bd997460588a3

SHA1
dcba20338c5dbde13a8189f0d154e3d650cca99c

SHA256
bbf62b7d87429bb832abb5c8f37635c05be6724eaab9afd13a7780595919f3a2

SHA512
be3739a91180dfc1c391045fe2f9a27be3303f6a8c042cee8af7c0bca73483768c33dd806a464a7fdee1b4203135b1fde132a3edc86bd3122ba83f4b993ac4fa

Download Submit
memory/64-207-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/116-464-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/116-581-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/232-205-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/536-74-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/536-72-0x0000000000E20000-0x0000000000E82000-memory.dmp

Filesize
392KB

Download
memory/536-96-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/660-172-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/744-719-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/852-109-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/864-652-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/864-512-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/896-1137-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1004-622-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1004-771-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1044-1042-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1048-787-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1048-845-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1048-559-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1368-425-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1368-275-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1612-328-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1728-895-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1728-1184-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1784-35-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1784-24-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1864-130-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1972-1041-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2104-1183-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2160-931-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2160-923-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2180-116-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2200-940-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2288-1089-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2320-726-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2320-486-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2656-1160-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2656-924-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2668-75-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2684-128-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2808-1-0x000000000045B000-0x0000000000465000-memory.dmp

Filesize
40KB

Download
memory/2808-0-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2808-2-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2840-1098-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2840-883-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2864-1189-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2864-956-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2988-1156-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3008-197-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3032-177-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3088-891-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3188-1090-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3316-494-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3484-107-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3532-11-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/3532-13-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3616-301-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3616-357-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3652-644-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3652-535-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3672-823-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3672-989-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3728-1100-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3728-772-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3748-4-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/3816-256-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3816-158-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3932-788-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3932-977-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4040-400-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4040-573-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4080-235-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4080-1138-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4248-1166-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4248-862-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4344-599-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4344-755-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4360-306-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4368-103-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4368-94-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4476-614-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4476-748-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4496-684-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4496-887-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4504-22-0x0000000000E20000-0x0000000000E82000-memory.dmp

Filesize
392KB

Download
memory/4504-23-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4504-39-0x0000000006180000-0x0000000006192000-memory.dmp

Filesize
72KB

Download
memory/4504-40-0x00000000066C0000-0x00000000066FC000-memory.dmp

Filesize
240KB

Download
memory/4504-48-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4504-12-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4504-21-0x0000000000E20000-0x0000000000E82000-memory.dmp

Filesize
392KB

Download
memory/4504-36-0x0000000005170000-0x0000000005714000-memory.dmp

Filesize
5.6MB

Download
memory/4504-38-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/4504-37-0x0000000005A00000-0x0000000005A92000-memory.dmp

Filesize
584KB

Download
memory/4504-18-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4504-20-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4504-19-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4528-95-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4596-146-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4596-175-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4608-668-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4608-972-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4796-979-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4796-838-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4832-401-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4832-491-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4860-537-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4868-933-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4880-50-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4900-349-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4900-466-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4908-1058-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4924-214-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4960-990-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4976-442-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4976-639-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/5088-115-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/5088-204-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/5108-359-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/5108-196-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download