remcos | fb67541dcd9e7b88464ad7484f62fae23db0021a07bd0aa0c18aec110af4a5dd

Analysis

max time kernel
117s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 09:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1a407d7c11c58235d559b6f378363840N.exe
Size

1.9MB
MD5

1a407d7c11c58235d559b6f378363840
SHA1

0b3dc1ec4d896473aae4670310d03c62da9aebd2
SHA256

fb67541dcd9e7b88464ad7484f62fae23db0021a07bd0aa0c18aec110af4a5dd
SHA512

65b0183a03d88f53d0b9151503ca59e7f841b9504cf586efe84591e3e750374b5ad1ac7d590e620841e134e7717da24ec263df904f5ac3d48bca4039ff663fe7
SSDEEP

49152:Hh+ZkldoPK1XalKCc9nueh+ZkldoPK1XalKCc9nui:w2cPK1ab32cPK1abi

Score

10^/10

remcos host discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

213.208.129.213:137

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
srvs.exe
copy_folder
WindowsApp
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
WindowsApp
keylog_path
%AppData%
mouse_option
false
mutex
remcos_jpetmoenqu
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
srvs
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	1a407d7c11c58235d559b6f378363840N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	1a407d7c11c58235d559b6f378363840N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	1a407d7c11c58235d559b6f378363840N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	1a407d7c11c58235d559b6f378363840N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	1a407d7c11c58235d559b6f378363840N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	1a407d7c11c58235d559b6f378363840N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	1a407d7c11c58235d559b6f378363840N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	1a407d7c11c58235d559b6f378363840N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	1a407d7c11c58235d559b6f378363840N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	1a407d7c11c58235d559b6f378363840N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	1a407d7c11c58235d559b6f378363840N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	1a407d7c11c58235d559b6f378363840N.exe

Drops startup file 13 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RmClient.url	srvs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RmClient.url	srvs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RmClient.url	1a407d7c11c58235d559b6f378363840N.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RmClient.url	srvs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RmClient.url	srvs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RmClient.url	srvs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RmClient.url	srvs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RmClient.url	srvs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RmClient.url	srvs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RmClient.url	srvs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RmClient.url	srvs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RmClient.url	srvs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RmClient.url	srvs.exe

Executes dropped EXE 64 IoCs

pid	Process
4052	srvs.exe
4180	srvs.exe
4036	srvs.exe
2320	srvs.exe
4396	srvs.exe
2988	srvs.exe
4428	srvs.exe
760	srvs.exe
1296	srvs.exe
4216	srvs.exe
1320	srvs.exe
2680	srvs.exe
1956	srvs.exe
2332	srvs.exe
264	srvs.exe
3172	srvs.exe
2092	srvs.exe
3940	srvs.exe
2872	srvs.exe
936	srvs.exe
1748	srvs.exe
1164	srvs.exe
4360	srvs.exe
4516	srvs.exe
1912	srvs.exe
2412	srvs.exe
1680	srvs.exe
2360	srvs.exe
1860	srvs.exe
4068	srvs.exe
1616	srvs.exe
4876	srvs.exe
2116	srvs.exe
4888	srvs.exe
2020	srvs.exe
4420	srvs.exe
1660	srvs.exe
2152	srvs.exe
4000	srvs.exe
1256	srvs.exe
3752	srvs.exe
836	srvs.exe
808	srvs.exe
2472	srvs.exe
1536	srvs.exe
4440	srvs.exe
2352	srvs.exe
2456	srvs.exe
4208	srvs.exe
1552	srvs.exe
4496	srvs.exe
2492	srvs.exe
2920	srvs.exe
4412	srvs.exe
4464	srvs.exe
4256	srvs.exe
4268	srvs.exe
3068	srvs.exe
216	srvs.exe
1520	srvs.exe
448	srvs.exe
1900	srvs.exe
3552	srvs.exe
4400	srvs.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srvs = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsApp\\srvs.exe\""	1a407d7c11c58235d559b6f378363840N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srvs = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsApp\\srvs.exe\""	1a407d7c11c58235d559b6f378363840N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srvs = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsApp\\srvs.exe\""	1a407d7c11c58235d559b6f378363840N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srvs = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsApp\\srvs.exe\""	1a407d7c11c58235d559b6f378363840N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srvs = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsApp\\srvs.exe\""	1a407d7c11c58235d559b6f378363840N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srvs = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsApp\\srvs.exe\""	1a407d7c11c58235d559b6f378363840N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srvs = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsApp\\srvs.exe\""	1a407d7c11c58235d559b6f378363840N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srvs = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsApp\\srvs.exe\""	1a407d7c11c58235d559b6f378363840N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srvs = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsApp\\srvs.exe\""	1a407d7c11c58235d559b6f378363840N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srvs = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsApp\\srvs.exe\""	1a407d7c11c58235d559b6f378363840N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srvs = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsApp\\srvs.exe\""	1a407d7c11c58235d559b6f378363840N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srvs = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsApp\\srvs.exe\""	1a407d7c11c58235d559b6f378363840N.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0003000000022aa5-17.dat	autoit_exe
behavioral2/files/0x000700000002347b-19.dat	autoit_exe
behavioral2/files/0x0003000000022aa8-42.dat	autoit_exe
behavioral2/files/0x000b0000000233b7-45.dat	autoit_exe
behavioral2/files/0x000c0000000233b9-106.dat	autoit_exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 1408 set thread context of 3792	1408	1a407d7c11c58235d559b6f378363840N.exe	86
PID 1408 set thread context of 2372	1408	1a407d7c11c58235d559b6f378363840N.exe	104
PID 1408 set thread context of 2364	1408	1a407d7c11c58235d559b6f378363840N.exe	121
PID 1408 set thread context of 5072	1408	1a407d7c11c58235d559b6f378363840N.exe	145
PID 1408 set thread context of 4644	1408	1a407d7c11c58235d559b6f378363840N.exe	176
PID 1408 set thread context of 4244	1408	1a407d7c11c58235d559b6f378363840N.exe	211
PID 1408 set thread context of 2992	1408	1a407d7c11c58235d559b6f378363840N.exe	252
PID 1408 set thread context of 1104	1408	1a407d7c11c58235d559b6f378363840N.exe	299
PID 1408 set thread context of 5292	1408	1a407d7c11c58235d559b6f378363840N.exe	353
PID 1408 set thread context of 5976	1408	1a407d7c11c58235d559b6f378363840N.exe	412
PID 1408 set thread context of 6200	1408	1a407d7c11c58235d559b6f378363840N.exe	477
PID 1408 set thread context of 6924	1408	1a407d7c11c58235d559b6f378363840N.exe	548

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a407d7c11c58235d559b6f378363840N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a407d7c11c58235d559b6f378363840N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a407d7c11c58235d559b6f378363840N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a407d7c11c58235d559b6f378363840N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a407d7c11c58235d559b6f378363840N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a407d7c11c58235d559b6f378363840N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a407d7c11c58235d559b6f378363840N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a407d7c11c58235d559b6f378363840N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a407d7c11c58235d559b6f378363840N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a407d7c11c58235d559b6f378363840N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a407d7c11c58235d559b6f378363840N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a407d7c11c58235d559b6f378363840N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a407d7c11c58235d559b6f378363840N.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
544	PING.EXE
3700	PING.EXE
2144	PING.EXE
5416	PING.EXE
6312	PING.EXE
2540	PING.EXE
1940	PING.EXE
3372	PING.EXE
6096	PING.EXE
7040	PING.EXE
1920	PING.EXE
4288	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
2540	PING.EXE
1940	PING.EXE
3372	PING.EXE
2144	PING.EXE
6312	PING.EXE
1920	PING.EXE
544	PING.EXE
4288	PING.EXE
3700	PING.EXE
5416	PING.EXE
6096	PING.EXE
7040	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1408	1a407d7c11c58235d559b6f378363840N.exe
1408	1a407d7c11c58235d559b6f378363840N.exe
4052	srvs.exe
4052	srvs.exe
1408	1a407d7c11c58235d559b6f378363840N.exe
1408	1a407d7c11c58235d559b6f378363840N.exe
760	srvs.exe
760	srvs.exe
4052	srvs.exe
4052	srvs.exe
1408	1a407d7c11c58235d559b6f378363840N.exe
1408	1a407d7c11c58235d559b6f378363840N.exe
760	srvs.exe
1748	srvs.exe
1748	srvs.exe
760	srvs.exe
4052	srvs.exe
4052	srvs.exe
1408	1a407d7c11c58235d559b6f378363840N.exe
1408	1a407d7c11c58235d559b6f378363840N.exe
1748	srvs.exe
1748	srvs.exe
1256	srvs.exe
1256	srvs.exe
760	srvs.exe
760	srvs.exe
4052	srvs.exe
4052	srvs.exe
1408	1a407d7c11c58235d559b6f378363840N.exe
1408	1a407d7c11c58235d559b6f378363840N.exe
2028	srvs.exe
2028	srvs.exe
1748	srvs.exe
1748	srvs.exe
1256	srvs.exe
1256	srvs.exe
760	srvs.exe
760	srvs.exe
4052	srvs.exe
4052	srvs.exe
1408	1a407d7c11c58235d559b6f378363840N.exe
1408	1a407d7c11c58235d559b6f378363840N.exe
2028	srvs.exe
2028	srvs.exe
5080	srvs.exe
5080	srvs.exe
1748	srvs.exe
1748	srvs.exe
1256	srvs.exe
1256	srvs.exe
760	srvs.exe
760	srvs.exe
4052	srvs.exe
4052	srvs.exe
1408	1a407d7c11c58235d559b6f378363840N.exe
1408	1a407d7c11c58235d559b6f378363840N.exe
2028	srvs.exe
2028	srvs.exe
5080	srvs.exe
5080	srvs.exe
2348	srvs.exe
2348	srvs.exe
1748	srvs.exe
1256	srvs.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
1408	1a407d7c11c58235d559b6f378363840N.exe
1408	1a407d7c11c58235d559b6f378363840N.exe
1408	1a407d7c11c58235d559b6f378363840N.exe
4052	srvs.exe
4052	srvs.exe
4052	srvs.exe
760	srvs.exe
760	srvs.exe
760	srvs.exe
1748	srvs.exe
1748	srvs.exe
1748	srvs.exe
1256	srvs.exe
1256	srvs.exe
1256	srvs.exe
2028	srvs.exe
2028	srvs.exe
2028	srvs.exe
5080	srvs.exe
5080	srvs.exe
5080	srvs.exe
2348	srvs.exe
2348	srvs.exe
2348	srvs.exe
4596	srvs.exe
4596	srvs.exe
4596	srvs.exe
5444	srvs.exe
5444	srvs.exe
5444	srvs.exe
6124	srvs.exe
6124	srvs.exe
6124	srvs.exe
6340	srvs.exe
6340	srvs.exe
6340	srvs.exe
7072	srvs.exe
7072	srvs.exe
7072	srvs.exe

Suspicious use of SendNotifyMessage 39 IoCs

pid	Process
1408	1a407d7c11c58235d559b6f378363840N.exe
1408	1a407d7c11c58235d559b6f378363840N.exe
1408	1a407d7c11c58235d559b6f378363840N.exe
4052	srvs.exe
4052	srvs.exe
4052	srvs.exe
760	srvs.exe
760	srvs.exe
760	srvs.exe
1748	srvs.exe
1748	srvs.exe
1748	srvs.exe
1256	srvs.exe
1256	srvs.exe
1256	srvs.exe
2028	srvs.exe
2028	srvs.exe
2028	srvs.exe
5080	srvs.exe
5080	srvs.exe
5080	srvs.exe
2348	srvs.exe
2348	srvs.exe
2348	srvs.exe
4596	srvs.exe
4596	srvs.exe
4596	srvs.exe
5444	srvs.exe
5444	srvs.exe
5444	srvs.exe
6124	srvs.exe
6124	srvs.exe
6124	srvs.exe
6340	srvs.exe
6340	srvs.exe
6340	srvs.exe
7072	srvs.exe
7072	srvs.exe
7072	srvs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 3792	1408	1a407d7c11c58235d559b6f378363840N.exe	86
PID 1408 wrote to memory of 3792	1408	1a407d7c11c58235d559b6f378363840N.exe	86
PID 1408 wrote to memory of 3792	1408	1a407d7c11c58235d559b6f378363840N.exe	86
PID 1408 wrote to memory of 3792	1408	1a407d7c11c58235d559b6f378363840N.exe	86
PID 1408 wrote to memory of 3792	1408	1a407d7c11c58235d559b6f378363840N.exe	86
PID 3792 wrote to memory of 3744	3792	1a407d7c11c58235d559b6f378363840N.exe	87
PID 3792 wrote to memory of 3744	3792	1a407d7c11c58235d559b6f378363840N.exe	87
PID 3792 wrote to memory of 3744	3792	1a407d7c11c58235d559b6f378363840N.exe	87
PID 3744 wrote to memory of 1920	3744	cmd.exe	89
PID 3744 wrote to memory of 1920	3744	cmd.exe	89
PID 3744 wrote to memory of 1920	3744	cmd.exe	89
PID 3744 wrote to memory of 4052	3744	cmd.exe	90
PID 3744 wrote to memory of 4052	3744	cmd.exe	90
PID 3744 wrote to memory of 4052	3744	cmd.exe	90
PID 4052 wrote to memory of 4180	4052	srvs.exe	93
PID 4052 wrote to memory of 4180	4052	srvs.exe	93
PID 4052 wrote to memory of 4180	4052	srvs.exe	93
PID 4052 wrote to memory of 4036	4052	srvs.exe	94
PID 4052 wrote to memory of 4036	4052	srvs.exe	94
PID 4052 wrote to memory of 4036	4052	srvs.exe	94
PID 4052 wrote to memory of 2320	4052	srvs.exe	95
PID 4052 wrote to memory of 2320	4052	srvs.exe	95
PID 4052 wrote to memory of 2320	4052	srvs.exe	95
PID 4052 wrote to memory of 4396	4052	srvs.exe	96
PID 4052 wrote to memory of 4396	4052	srvs.exe	96
PID 4052 wrote to memory of 4396	4052	srvs.exe	96
PID 4052 wrote to memory of 2988	4052	srvs.exe	97
PID 4052 wrote to memory of 2988	4052	srvs.exe	97
PID 4052 wrote to memory of 2988	4052	srvs.exe	97
PID 4052 wrote to memory of 4428	4052	srvs.exe	98
PID 4052 wrote to memory of 4428	4052	srvs.exe	98
PID 4052 wrote to memory of 4428	4052	srvs.exe	98
PID 1408 wrote to memory of 2372	1408	1a407d7c11c58235d559b6f378363840N.exe	104
PID 1408 wrote to memory of 2372	1408	1a407d7c11c58235d559b6f378363840N.exe	104
PID 1408 wrote to memory of 2372	1408	1a407d7c11c58235d559b6f378363840N.exe	104
PID 1408 wrote to memory of 2372	1408	1a407d7c11c58235d559b6f378363840N.exe	104
PID 1408 wrote to memory of 2372	1408	1a407d7c11c58235d559b6f378363840N.exe	104
PID 2372 wrote to memory of 3588	2372	1a407d7c11c58235d559b6f378363840N.exe	105
PID 2372 wrote to memory of 3588	2372	1a407d7c11c58235d559b6f378363840N.exe	105
PID 2372 wrote to memory of 3588	2372	1a407d7c11c58235d559b6f378363840N.exe	105
PID 3588 wrote to memory of 2540	3588	cmd.exe	107
PID 3588 wrote to memory of 2540	3588	cmd.exe	107
PID 3588 wrote to memory of 2540	3588	cmd.exe	107
PID 3588 wrote to memory of 760	3588	cmd.exe	108
PID 3588 wrote to memory of 760	3588	cmd.exe	108
PID 3588 wrote to memory of 760	3588	cmd.exe	108
PID 760 wrote to memory of 1296	760	srvs.exe	109
PID 760 wrote to memory of 1296	760	srvs.exe	109
PID 760 wrote to memory of 1296	760	srvs.exe	109
PID 760 wrote to memory of 1320	760	srvs.exe	110
PID 760 wrote to memory of 1320	760	srvs.exe	110
PID 760 wrote to memory of 1320	760	srvs.exe	110
PID 760 wrote to memory of 4216	760	srvs.exe	111
PID 760 wrote to memory of 4216	760	srvs.exe	111
PID 760 wrote to memory of 4216	760	srvs.exe	111
PID 760 wrote to memory of 2332	760	srvs.exe	112
PID 760 wrote to memory of 2332	760	srvs.exe	112
PID 760 wrote to memory of 2332	760	srvs.exe	112
PID 760 wrote to memory of 2680	760	srvs.exe	113
PID 760 wrote to memory of 2680	760	srvs.exe	113
PID 760 wrote to memory of 2680	760	srvs.exe	113
PID 760 wrote to memory of 1956	760	srvs.exe	114
PID 760 wrote to memory of 1956	760	srvs.exe	114
PID 760 wrote to memory of 1956	760	srvs.exe	114

C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe
"C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1920
  - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
      "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4052
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:4180
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:4036
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:2320
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:4396
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:2988
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:4428
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:264
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:3172
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:2092
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:3940
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:2872
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:936
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:4888
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:2020
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:4420
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:1660
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:2152
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:4000
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:216
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:1520
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:448
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:1900
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:3552
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:4400
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2380
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4984
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4804
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4500
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3604
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4752
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2400
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5104
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4380
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1512
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4708
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1684
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2488
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2592
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4300
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3748
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1488
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3700
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5216
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5224
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5232
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5240
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5248
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5256
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5860
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5868
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5876
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5884
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5892
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5900
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6056
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6140
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4280
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6148
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6156
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6164
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6856
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6864
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6872
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6880
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6888
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6896
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7276
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7284
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7292
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7300
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7308
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7316
- C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2540
  - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
      "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:760
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:1296
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:1320
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:4216
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:2332
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:2680
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:1956
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:1164
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:4360
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:1912
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:1680
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:4068
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:4876
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:808
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:2472
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:2456
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:4256
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:4268
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:3068
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2640
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3536
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1400
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:468
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1924
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2068
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2660
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1040
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1432
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2264
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1328
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4368
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2984
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4284
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4860
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5056
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2260
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3472
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5164
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5172
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5180
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5192
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5200
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5208
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5812
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5820
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5828
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5836
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5844
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5852
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6116
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6096
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6092
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6088
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6048
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6080
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6808
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6816
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6824
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6832
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6840
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6848
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7228
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7236
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7244
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7252
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7260
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7268
- C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3948
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1940
  - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
      "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1748
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:4516
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:1860
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:2412
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:2360
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:1616
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:2116
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:3752
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:836
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:1536
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:4440
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:2352
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:4208
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1788
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3436
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3248
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3088
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2156
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:428
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2016
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5040
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3096
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1888
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5108
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:840
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:232
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:548
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1056
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3768
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1456
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2552
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3720
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3192
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1280
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4636
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3696
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5132
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5716
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5740
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5756
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5772
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5788
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5804
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5988
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6012
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6028
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6032
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6068
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6100
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6760
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6768
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6776
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6784
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6792
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6800
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7180
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7188
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7196
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7204
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7212
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7220
- C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5084
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:544
  - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
      "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1256
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:1552
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:4496
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:2492
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:2920
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:4412
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        Executes dropped EXE
        
        PID:4464
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2140
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4352
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4896
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4844
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:408
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3156
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3108
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3884
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2376
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2012
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4992
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2608
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2476
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:708
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2908
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1532
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2420
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:336
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3932
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3788
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5124
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5140
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5148
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5156
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5724
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5732
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5748
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5764
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5780
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5796
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5968
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5996
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6040
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6008
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2812
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5972
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6712
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6720
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6728
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6736
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6744
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6752
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7012
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7016
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7008
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7112
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7120
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7172
- C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe"
  2⤵
  PID:4444
- C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:60
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4288
  - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
      "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
      4⤵
      Drops startup file
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2028
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4336
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4188
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1312
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:644
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3704
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3708
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1656
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:916
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4408
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1668
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4976
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1968
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4016
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3724
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3216
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1212
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3520
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3180
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2032
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1628
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4136
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4776
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2268
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3376
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5568
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5576
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5584
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5592
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5600
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5608
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5420
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5436
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5416
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5412
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5408
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5364
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6516
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6524
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6532
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6540
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6548
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6556
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6300
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6288
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6284
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6336
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6360
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6368
- C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:432
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3372
  - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
      "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
      4⤵
      Drops startup file
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:5080
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:752
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:376
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1540
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3820
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4964
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1028
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2108
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:732
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3744
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3540
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4388
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4072
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1228
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4884
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3480
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2884
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1832
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2340
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5616
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5624
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5632
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5640
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5648
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5656
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5400
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5372
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5464
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5440
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2936
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2448
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6612
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6620
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6628
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6636
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6644
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6652
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6944
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6960
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6984
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6976
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6972
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6968
- C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1404
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3700
  - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
      "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
      4⤵
      Drops startup file
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2348
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4028
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3372
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1036
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:544
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:432
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4100
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3160
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3760
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1596
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5088
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4204
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3832
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5668
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5676
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5684
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5692
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5700
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5708
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5908
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5916
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5932
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5940
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5944
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1692
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6660
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6668
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6676
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6684
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6692
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6700
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6952
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7052
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7056
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7048
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7036
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7032
- C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3968
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2144
  - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
      "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
      4⤵
      Drops startup file
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4596
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:888
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2220
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4524
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2416
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1696
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4760
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5472
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5480
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5488
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5496
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5504
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5512
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5276
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5304
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5300
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5316
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5332
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1932
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6420
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6428
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6436
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6444
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6452
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6460
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6216
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6224
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6240
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6264
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6248
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6280
- C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe"
  2⤵
  PID:5284
- C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5364
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5416
  - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
      "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
      4⤵
      Drops startup file
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:5444
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5520
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5528
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5536
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5544
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5552
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5560
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5348
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5324
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5352
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5384
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5376
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2180
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6468
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6476
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6484
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6492
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6500
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6508
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6256
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6196
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6316
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6332
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6312
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6308
- C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6048
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:6096
  - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
      "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
      4⤵
      Drops startup file
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:6124
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4600
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4868
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:2272
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4236
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5264
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:5268
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6372
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6380
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6388
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6396
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6404
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6412
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6172
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6176
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6188
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:3272
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:1728
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6208
- C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:6200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6268
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:6312
  - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
      "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
      4⤵
      Drops startup file
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:6340
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6564
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6572
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6580
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6588
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6596
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6604
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:412
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6904
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6912
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6920
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:4612
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:6936
- C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe
  "C:\Users\Admin\AppData\Local\Temp\1a407d7c11c58235d559b6f378363840N.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:6924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6992
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:7040
  - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
      "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
      4⤵
      Drops startup file
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:7072
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7124
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7132
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7140
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7148
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7156
    - - C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe"
        5⤵
        
        PID:7164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
101B

MD5
16561b6804bab596f1cee44c3b88aea7

SHA1
e8b3d827a38f17ad04309b1760259558e3722061

SHA256
e6f65c9e9b69042c7ac81b8249ca98ba081f71e9025d4e3d700e6f3cea820077

SHA512
24eaf7ec5964ce2afa96357ec8d03b655359cf2e4136f2009fee638d32d3e9763d0089dae4a4a9a6826cee8ad587719706e6a75bf1b8f63d3665b9be675a68a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RmClient.url

Filesize
64B

MD5
8c2657c9b64e308e633a005cd276b6cf

SHA1
4c79763fe05c29f5ad3cfba820386b814fac2581

SHA256
749d7d16186b3d8b4d53abdc87a9cf2d6334ec9b5ee5e73e24e9db64937bb0b8

SHA512
1c36d996a65316aa979b73d4e9d93edba87ac5f12abf1441d33c2288a3df63f22ad53db81553e613b3447229da5f25e794843c52120c01d59c0d528a63748305

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsApp\srvs.exe

Filesize
1.9MB

MD5
1a407d7c11c58235d559b6f378363840

SHA1
0b3dc1ec4d896473aae4670310d03c62da9aebd2

SHA256
fb67541dcd9e7b88464ad7484f62fae23db0021a07bd0aa0c18aec110af4a5dd

SHA512
65b0183a03d88f53d0b9151503ca59e7f841b9504cf586efe84591e3e750374b5ad1ac7d590e620841e134e7717da24ec263df904f5ac3d48bca4039ff663fe7

Download Submit
C:\Users\Admin\MdRes\RmClient.vbs

Filesize
103B

MD5
7a10f112e597d6bc2317f41b888427bd

SHA1
5ced86ad8f9c50080a59f2425ddb39615622caf7

SHA256
2f48612a9514cda737b94c5786373ac3821a4ea94be793397db387eea3296b5e

SHA512
6dcb41ba5ebb101e7c891efae20ef8d5dd1d4828a567fa1d2fc26e13dbec00c7f817ec981cc077cfe247c4b5e8a75690809549e36bde48477450150d9eb6e2ed

Download Submit
C:\Users\Admin\MdRes\klist.exe

Filesize
1.9MB

MD5
457c318c9fc93fbe55d1f557e9c87672

SHA1
85debdd7d49cd36728cd3f43aa742d30d64eae75

SHA256
465eb9b750f149e5eb911667e639f84f13abf3bee688371fcdf9fe40242acc73

SHA512
d2bb8e9e7a72ad748759ec449e1dfd9731b76af9b1174f64db958eb2179e792bb3ecddc87b68fcc96be9eb27f15e4f033bbd2aae6aee4f873bc3e66d6b91f80a

Download Submit
C:\Users\Admin\MdRes\klist.exe

Filesize
1.9MB

MD5
1ff9b7f08e645b6fd7979789c777443d

SHA1
ea436e512bb564992a8fa067a6cfb38ff7252bd4

SHA256
57c0bfa0eda5afa7c94aa004d90597ec87560cba8ad1edb10517eb64e44fdf90

SHA512
dc78b4af8366a3df2e5c17c927c7b3b65537339ae60e1df49306cc0b26f2d33f836aeb954c8019f17cf6335cc479c5a834366b8139108204621c90b4a26a4ff7

Download Submit
C:\Users\Admin\MdRes\klist.exe

Filesize
1.9MB

MD5
f6dd0f850958258352663bed7f1eed73

SHA1
0b28259f24f312bb4420d34053d32869559a8b83

SHA256
170033e77ec989ed6189c3cb7a623698cc14e1ee1ce9e68fc0fdca24cf12500c

SHA512
7a486855f8e4bd21e5d21f01c94f82f799df04b7504ead0877d27cda789293d350a446129cb46f705fe9951e6a62da9e6d30da3c063d0ada2393939942b58804

Download Submit
C:\Users\Admin\MdRes\klist.exe

Filesize
1.9MB

MD5
d28daaf571e42581aeba13d5a6d228ab

SHA1
04866165c3d186f854e66f7128f1fd5c7d269b63

SHA256
e09c55a8c030500ad1e8379fa3a56f94f5118b8e3a59bd4d8eb9368678f94014

SHA512
6a0a672759417de517bc69df4984f3a6c5c19be806865a6b98133c749a4cc69cfea2317dd53955c91684f89d4b07b58256365258a20a7190f84f8084c215a0bd

Download Submit
memory/1408-3-0x00000000017E0000-0x00000000017E1000-memory.dmp

Filesize
4KB

Download
memory/2372-36-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3792-5-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3792-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download