13fb952a7c4f7f083ae56ea41a97ff932f1f379418602cf7cf13f7630ba9f024

Analysis

max time kernel
69s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 11:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

301b104944da99af683ea38172a89b35_JaffaCakes118.exe
Size

943KB
MD5

301b104944da99af683ea38172a89b35
SHA1

23a7f734ded4ef78693c0f303b642af35b31b6b0
SHA256

13fb952a7c4f7f083ae56ea41a97ff932f1f379418602cf7cf13f7630ba9f024
SHA512

78071fab52f379fa90962c89795446f8129bb24b6795641a41296be6af39e26ab016d3922f71dbf42d876e0966585fbd52a6701f8dc5e511fe3c7ad447f8d0c2
SSDEEP

24576:sZsphOBLNupNwQJpz+8h9IFZbmNrU4CtiE:9bColJpx9IFZSg5iE

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation	301b104944da99af683ea38172a89b35_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
4552	explorer.exe
4140	taskhost.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\D:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\D:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\D:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
4132	301b104944da99af683ea38172a89b35_JaffaCakes118.exe
4132	301b104944da99af683ea38172a89b35_JaffaCakes118.exe
4132	301b104944da99af683ea38172a89b35_JaffaCakes118.exe
4132	301b104944da99af683ea38172a89b35_JaffaCakes118.exe
4132	301b104944da99af683ea38172a89b35_JaffaCakes118.exe
4132	301b104944da99af683ea38172a89b35_JaffaCakes118.exe
4132	301b104944da99af683ea38172a89b35_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1956	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4000	WScript.exe
Token: SeCreatePagefilePrivilege	4000	WScript.exe
Token: SeShutdownPrivilege	4540	WScript.exe
Token: SeCreatePagefilePrivilege	4540	WScript.exe
Token: 33	452	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	452	AUDIODG.EXE
Token: SeShutdownPrivilege	1476	WScript.exe
Token: SeCreatePagefilePrivilege	1476	WScript.exe
Token: SeShutdownPrivilege	4012	WScript.exe
Token: SeCreatePagefilePrivilege	4012	WScript.exe
Token: SeShutdownPrivilege	3744	WScript.exe
Token: SeCreatePagefilePrivilege	3744	WScript.exe
Token: SeShutdownPrivilege	1340	WScript.exe
Token: SeCreatePagefilePrivilege	1340	WScript.exe
Token: SeShutdownPrivilege	3052	WScript.exe
Token: SeCreatePagefilePrivilege	3052	WScript.exe
Token: SeShutdownPrivilege	2100	WScript.exe
Token: SeCreatePagefilePrivilege	2100	WScript.exe
Token: SeShutdownPrivilege	3672	WScript.exe
Token: SeCreatePagefilePrivilege	3672	WScript.exe
Token: SeShutdownPrivilege	428	WScript.exe
Token: SeCreatePagefilePrivilege	428	WScript.exe
Token: SeShutdownPrivilege	4432	WScript.exe
Token: SeCreatePagefilePrivilege	4432	WScript.exe
Token: SeShutdownPrivilege	4048	WScript.exe
Token: SeCreatePagefilePrivilege	4048	WScript.exe
Token: SeShutdownPrivilege	1752	WScript.exe
Token: SeCreatePagefilePrivilege	1752	WScript.exe
Token: SeShutdownPrivilege	1452	WScript.exe
Token: SeCreatePagefilePrivilege	1452	WScript.exe
Token: SeShutdownPrivilege	3624	WScript.exe
Token: SeCreatePagefilePrivilege	3624	WScript.exe
Token: SeShutdownPrivilege	1684	WScript.exe
Token: SeCreatePagefilePrivilege	1684	WScript.exe
Token: SeShutdownPrivilege	4056	WScript.exe
Token: SeCreatePagefilePrivilege	4056	WScript.exe
Token: SeShutdownPrivilege	444	WScript.exe
Token: SeCreatePagefilePrivilege	444	WScript.exe
Token: SeShutdownPrivilege	4304	WScript.exe
Token: SeCreatePagefilePrivilege	4304	WScript.exe
Token: SeShutdownPrivilege	4808	WScript.exe
Token: SeCreatePagefilePrivilege	4808	WScript.exe
Token: SeShutdownPrivilege	3172	WScript.exe
Token: SeCreatePagefilePrivilege	3172	WScript.exe
Token: SeShutdownPrivilege	1912	WScript.exe
Token: SeCreatePagefilePrivilege	1912	WScript.exe
Token: SeShutdownPrivilege	3492	WScript.exe
Token: SeCreatePagefilePrivilege	3492	WScript.exe
Token: SeShutdownPrivilege	4624	WScript.exe
Token: SeCreatePagefilePrivilege	4624	WScript.exe
Token: SeShutdownPrivilege	1532	WScript.exe
Token: SeCreatePagefilePrivilege	1532	WScript.exe
Token: SeShutdownPrivilege	852	WScript.exe
Token: SeCreatePagefilePrivilege	852	WScript.exe
Token: SeShutdownPrivilege	2292	WScript.exe
Token: SeCreatePagefilePrivilege	2292	WScript.exe
Token: SeShutdownPrivilege	2640	WScript.exe
Token: SeCreatePagefilePrivilege	2640	WScript.exe
Token: SeShutdownPrivilege	2972	WScript.exe
Token: SeCreatePagefilePrivilege	2972	WScript.exe
Token: SeShutdownPrivilege	2488	WScript.exe
Token: SeCreatePagefilePrivilege	2488	WScript.exe
Token: SeShutdownPrivilege	2460	WScript.exe
Token: SeCreatePagefilePrivilege	2460	WScript.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4132	301b104944da99af683ea38172a89b35_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 1956	4132	301b104944da99af683ea38172a89b35_JaffaCakes118.exe	84
PID 4132 wrote to memory of 1956	4132	301b104944da99af683ea38172a89b35_JaffaCakes118.exe	84
PID 4132 wrote to memory of 1956	4132	301b104944da99af683ea38172a89b35_JaffaCakes118.exe	84
PID 1956 wrote to memory of 4552	1956	cmd.exe	88
PID 1956 wrote to memory of 4552	1956	cmd.exe	88
PID 1956 wrote to memory of 4552	1956	cmd.exe	88
PID 1956 wrote to memory of 4540	1956	cmd.exe	89
PID 1956 wrote to memory of 4540	1956	cmd.exe	89
PID 1956 wrote to memory of 4540	1956	cmd.exe	89
PID 1956 wrote to memory of 4140	1956	cmd.exe	90
PID 1956 wrote to memory of 4140	1956	cmd.exe	90
PID 1956 wrote to memory of 4140	1956	cmd.exe	90
PID 1956 wrote to memory of 4000	1956	cmd.exe	91
PID 1956 wrote to memory of 4000	1956	cmd.exe	91
PID 1956 wrote to memory of 4000	1956	cmd.exe	91
PID 1956 wrote to memory of 1476	1956	cmd.exe	93
PID 1956 wrote to memory of 1476	1956	cmd.exe	93
PID 1956 wrote to memory of 1476	1956	cmd.exe	93
PID 1956 wrote to memory of 4012	1956	cmd.exe	94
PID 1956 wrote to memory of 4012	1956	cmd.exe	94
PID 1956 wrote to memory of 4012	1956	cmd.exe	94
PID 1956 wrote to memory of 3744	1956	cmd.exe	95
PID 1956 wrote to memory of 3744	1956	cmd.exe	95
PID 1956 wrote to memory of 3744	1956	cmd.exe	95
PID 1956 wrote to memory of 1340	1956	cmd.exe	96
PID 1956 wrote to memory of 1340	1956	cmd.exe	96
PID 1956 wrote to memory of 1340	1956	cmd.exe	96
PID 1956 wrote to memory of 3052	1956	cmd.exe	97
PID 1956 wrote to memory of 3052	1956	cmd.exe	97
PID 1956 wrote to memory of 3052	1956	cmd.exe	97
PID 1956 wrote to memory of 2100	1956	cmd.exe	98
PID 1956 wrote to memory of 2100	1956	cmd.exe	98
PID 1956 wrote to memory of 2100	1956	cmd.exe	98
PID 1956 wrote to memory of 3672	1956	cmd.exe	99
PID 1956 wrote to memory of 3672	1956	cmd.exe	99
PID 1956 wrote to memory of 3672	1956	cmd.exe	99
PID 1956 wrote to memory of 428	1956	cmd.exe	100
PID 1956 wrote to memory of 428	1956	cmd.exe	100
PID 1956 wrote to memory of 428	1956	cmd.exe	100
PID 1956 wrote to memory of 4432	1956	cmd.exe	101
PID 1956 wrote to memory of 4432	1956	cmd.exe	101
PID 1956 wrote to memory of 4432	1956	cmd.exe	101
PID 1956 wrote to memory of 4048	1956	cmd.exe	102
PID 1956 wrote to memory of 4048	1956	cmd.exe	102
PID 1956 wrote to memory of 4048	1956	cmd.exe	102
PID 1956 wrote to memory of 1752	1956	cmd.exe	103
PID 1956 wrote to memory of 1752	1956	cmd.exe	103
PID 1956 wrote to memory of 1752	1956	cmd.exe	103
PID 1956 wrote to memory of 1452	1956	cmd.exe	104
PID 1956 wrote to memory of 1452	1956	cmd.exe	104
PID 1956 wrote to memory of 1452	1956	cmd.exe	104
PID 1956 wrote to memory of 3624	1956	cmd.exe	105
PID 1956 wrote to memory of 3624	1956	cmd.exe	105
PID 1956 wrote to memory of 3624	1956	cmd.exe	105
PID 1956 wrote to memory of 1684	1956	cmd.exe	106
PID 1956 wrote to memory of 1684	1956	cmd.exe	106
PID 1956 wrote to memory of 1684	1956	cmd.exe	106
PID 1956 wrote to memory of 4056	1956	cmd.exe	107
PID 1956 wrote to memory of 4056	1956	cmd.exe	107
PID 1956 wrote to memory of 4056	1956	cmd.exe	107
PID 1956 wrote to memory of 444	1956	cmd.exe	108
PID 1956 wrote to memory of 444	1956	cmd.exe	108
PID 1956 wrote to memory of 444	1956	cmd.exe	108
PID 1956 wrote to memory of 4304	1956	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\301b104944da99af683ea38172a89b35_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\301b104944da99af683ea38172a89b35_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\winlogon.bat" "
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\explorer.exe
    explorer.exe
    3⤵
    - Executes dropped EXE
    PID:4552
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4540
- - C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\taskhost.exe
    taskhost.exe
    3⤵
    - Executes dropped EXE
    PID:4140
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4000
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1476
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4012
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3744
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1340
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3052
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3672
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:428
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4432
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4048
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1752
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1452
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3624
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4056
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:444
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4304
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4808
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3172
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3492
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4624
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:548
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:460
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:1936
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:4012
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3828
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:4424
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1320
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:4484
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4828
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3892
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3084
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:444
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:4576
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:748
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:1976
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3200
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:960
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:5016
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:2460
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:3676
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:3168
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:4840
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3628
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:5024
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:4352
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3608
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3972
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:3672
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:408
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3260
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:1124
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:4880
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:5000
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:3136
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:4660
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:4816
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3676
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:1580
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:208
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4676
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:3124
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:2136
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:4832
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:464
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3580
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:2796
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3396
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:996
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:5016
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:2408
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:2580
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:220
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3628
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:1852
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3720
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:2652
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4416
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:4560
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:4468
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:884
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4796
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:2288
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:4416
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3552
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:528
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:552
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3492
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4688
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3116
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:364
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:5004
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:4960
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:3932
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:792
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:1368
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4412
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4056
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:884
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:3164
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:4960
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:3672
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:4656
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4972
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:4460
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3492
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3676
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:2712
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4304
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:4796
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    - Enumerates connected drives
    PID:4676
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4968
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4416
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:392
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3500
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3180
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:460
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:184
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4928
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4264
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3120
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3492
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:812
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3112
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4304
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:852
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3708
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:960
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3864
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:112
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:8
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:428
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4368
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4316
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:812
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3172
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3124
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4584
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3892
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3480
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:444
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3976
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3264
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3428
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4736
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3144
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:5012
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:528
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:740
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:444
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4412
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3712
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4416
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:552
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:5080
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4880
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4624
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1456
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:528
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4368
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3864
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4412
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:184
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:508
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4892
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3676
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4872
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3984
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4352
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4512
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:112
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:704
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:5008
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3436
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3500
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:740
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3976
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3344
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4268
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4476
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:852
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:116
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:528
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4368
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4872
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3984
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4168
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4780
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:428
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4636
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs"
    3⤵
    PID:2272

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x154
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\explorer.exe

Filesize
44KB

MD5
32d6c84e4cf7d6d75e9520fbc51362ec

SHA1
befa47ad655a72566fed1e2ae704708e86f176aa

SHA256
ebf51dc2d3b358d0efa5a5170f3166babdbd5e670aa9ff200c63b242536a0703

SHA512
8594c1af5f15b6a437a73fe7c43b7add0fd53d81e987525138081e9324bd07034cdc0a2a36ed5159d351cf125d318643898972be854a3b6ab44f680b0e39da3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\svchost.vbs

Filesize
287B

MD5
d419521af600b354164574d757c1ff25

SHA1
fb10b46b9c309c40395a854c5f41035ff7e5c23f

SHA256
8890cf96d8f267b3d3da3e5b54b2472325891f92fc0ba5c3f418d13e80e2a4a1

SHA512
ddbce220d8a2f5eba1fbf8f5085242a94bc40b5295bb8052bebdc0fecd882d83c1f9e07d69c363bb0cc626b4a9666cf79d740e71e269116e84648fece0e1d24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\taskhost.exe

Filesize
589KB

MD5
9c397bcac821c37851373300103eb7b8

SHA1
cae57a79d9675dd3e194cec7beb65e7b8df8337f

SHA256
146f90cd53bff23c4ab88bd9a20131f2f838d0cacfd4f7767563c13c5d725bd2

SHA512
5cd939a1b1b2354545b39743bac0f4e9e9a01e59a32c0d74d22028902c64cad11ea52140c5e0dff0cdb6d35f8861cc6d8237c1d639be157aaa64886e721d8100

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3E8.tmp\winlogon.bat

Filesize
101B

MD5
f4a992c5c76b5fb8328033723bc94ee6

SHA1
6576870e22427853c12007a475265f259aeca52e

SHA256
54c2fa8169aaf37e8228bc8dd9258809ea6a7b7ef07f220e6752c51fae7632bd

SHA512
9a15a3c0bef84e2a8da03c5719aa890d3f32aabc1dc59b04907abeb86bd814fa9b5382d8637fc1888cbbc017d63e2570ff25e49ed831c01b001bb3626dbdac34

Download Submit
memory/4132-52-0x0000000000400000-0x000000000084D000-memory.dmp

Filesize
4.3MB

Download
memory/4132-49-0x0000000000400000-0x000000000084D000-memory.dmp

Filesize
4.3MB

Download
memory/4132-76-0x0000000000400000-0x000000000084D000-memory.dmp

Filesize
4.3MB

Download
memory/4132-73-0x0000000000400000-0x000000000084D000-memory.dmp

Filesize
4.3MB

Download
memory/4132-70-0x0000000000400000-0x000000000084D000-memory.dmp

Filesize
4.3MB

Download
memory/4132-67-0x0000000000400000-0x000000000084D000-memory.dmp

Filesize
4.3MB

Download
memory/4132-40-0x0000000000400000-0x000000000084D000-memory.dmp

Filesize
4.3MB

Download
memory/4132-43-0x0000000000400000-0x000000000084D000-memory.dmp

Filesize
4.3MB

Download
memory/4132-64-0x0000000000400000-0x000000000084D000-memory.dmp

Filesize
4.3MB

Download
memory/4132-61-0x0000000000400000-0x000000000084D000-memory.dmp

Filesize
4.3MB

Download
memory/4132-46-0x0000000000400000-0x000000000084D000-memory.dmp

Filesize
4.3MB

Download
memory/4132-37-0x0000000000400000-0x000000000084D000-memory.dmp

Filesize
4.3MB

Download
memory/4132-58-0x0000000000400000-0x000000000084D000-memory.dmp

Filesize
4.3MB

Download
memory/4132-55-0x0000000000400000-0x000000000084D000-memory.dmp

Filesize
4.3MB

Download
memory/4132-0-0x0000000000400000-0x000000000084D000-memory.dmp

Filesize
4.3MB

Download
memory/4140-48-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4140-42-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4140-78-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4140-51-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4140-75-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4140-57-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4140-39-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4140-72-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4140-54-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4140-60-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4140-69-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4140-66-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4140-63-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4140-45-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4552-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4552-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4552-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4552-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4552-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4552-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4552-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4552-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4552-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4552-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4552-74-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4552-77-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4552-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4552-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads