asyncrat | b3168e2d3722135e86a89e98cf1a4818ecc6ba49617ab918651b1fc73cc7aa2c

Analysis

max time kernel
5s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/09/2024, 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Numify v3-Cracked by SpArtOr.exe
Size

1.7MB
MD5

9367e0761d4373058b2393bfef4d6152
SHA1

9dafb96154407397032cc33e1bdc48386b382651
SHA256

b3168e2d3722135e86a89e98cf1a4818ecc6ba49617ab918651b1fc73cc7aa2c
SHA512

a356778004fa607ef38085fb56263bf018f8382e20eef0451f0029dd7bea0d81604e0b575696c89e27f4d6ca04c94a54d028d8979f59cd67caae64b08c4c5172
SSDEEP

12288:M4eMCTWwx/bV8vrzRVRR+4jVPv8SO13uo9RyAA2omknabab8pdHbaZ3VzCOG+40:MLZ8vrzRVRRFjJv8SO1KAA2omNDUGY

Score

10^/10

asyncrat neshta stormkitty default discovery persistence rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7316545556:AAF208f6iXcWmgOCUF1bXhUor4UkYtN8few/sendMessage?chat_id=7386785734

https://api.telegram.org/bot7423164379:AAFflVsuq0BrKEG_Lh8KPIRPN6rHeW4a7oo/sendMessage?chat_id=7472532856

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Neshta payload 64 IoCs

resource	yara_rule
behavioral1/files/0x0003000000012000-9.dat	family_neshta
behavioral1/files/0x00070000000173a7-23.dat	family_neshta
behavioral1/memory/276-88-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/984-127-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2720-195-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2272-194-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1264-193-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1048-211-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1980-249-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1320-248-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1816-220-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2952-219-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/760-222-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/892-278-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1292-186-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1148-146-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/588-168-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2764-151-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/540-150-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2792-294-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/576-98-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2588-97-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0001000000010738-55.dat	family_neshta
behavioral1/files/0x001400000000f841-54.dat	family_neshta
behavioral1/memory/2584-302-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2044-314-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2820-303-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2580-299-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2100-342-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1940-341-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2180-359-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1500-343-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2036-383-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2364-398-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2560-416-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/884-407-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2916-417-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2708-434-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2868-428-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2580-427-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1580-460-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2172-459-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2120-490-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1944-489-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/444-507-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1952-508-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1500-487-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2756-530-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2988-536-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1764-514-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2792-481-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2616-539-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2568-538-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2924-537-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3000-545-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1536-384-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2744-382-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1996-557-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/884-558-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1580-564-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1964-567-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/592-566-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3060-578-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2780-603-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 6 IoCs

resource	yara_rule
behavioral1/files/0x0003000000012000-9.dat	family_stormkitty
behavioral1/files/0x0008000000017079-12.dat	family_stormkitty
behavioral1/files/0x000a000000017492-66.dat	family_stormkitty
behavioral1/memory/1728-185-0x0000000000960000-0x00000000009A0000-memory.dmp	family_stormkitty
behavioral1/memory/1132-169-0x0000000000140000-0x0000000000180000-memory.dmp	family_stormkitty
behavioral1/files/0x00070000000173a9-145.dat	family_stormkitty

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x000a000000017492-66.dat	family_asyncrat
behavioral1/files/0x00070000000173a9-145.dat	family_asyncrat

Executes dropped EXE 64 IoCs

pid	Process
2796	SERVER BOT.EXE
2384	SERVER BOT.EXE
2572	svchost.com
2664	SERVER~1.EXE
2616	svchost.com
2568	svchost.com
576	svchost.com
276	svchost.com
2720	svchost.com
3024	SYSTEM.EXE
2588	SERVER~1.EXE
236	SERVER~1.EXE
984	svchost.com
2764	svchost.com
1148	svchost.com
2848	SERVER~1.EXE
540	SERVER~1.EXE
2492	SVCHOST.EXE
588	svchost.com
2272	svchost.com
2924	svchost.com
1132	SVCHOST.EXE
1292	svchost.com
1264	SERVER~1.EXE
2036	svchost.com
1728	SYSTEM.EXE
760	svchost.com
2952	svchost.com
2224	SERVER~1.EXE
1048	svchost.com
1536	svchost.com
1816	SERVER~1.EXE
688	SVCHOST.EXE
1980	svchost.com
1320	SERVER~1.EXE
3032	svchost.com
892	svchost.com
2816	SERVER~1.EXE
1588	SYSTEM.EXE
2744	svchost.com
2792	svchost.com
2700	SVCHOST.EXE
2820	svchost.com
2584	svchost.com
2756	svchost.com
2384	SERVER~1.EXE
2648	SYSTEM.EXE
2044	svchost.com
2580	SERVER~1.EXE
2292	SERVER~1.EXE
2060	svchost.com
984	SVCHOST.EXE
1484	svchost.com
324	SYSTEM.EXE
1936	svchost.com
712	svchost.com
2260	SVCHOST.EXE
2184	SYSTEM.EXE
2064	svchost.com
1500	svchost.com
1784	SVCHOST.EXE
2180	svchost.com
2072	svchost.com
2100	svchost.com

Loads dropped DLL 64 IoCs

pid	Process
2232	Numify v3-Cracked by SpArtOr.exe
2232	Numify v3-Cracked by SpArtOr.exe
2796	SERVER BOT.EXE
2796	SERVER BOT.EXE
2572	svchost.com
2572	svchost.com
2616	svchost.com
576	svchost.com
576	svchost.com
2720	svchost.com
2720	svchost.com
1148	svchost.com
1148	svchost.com
2764	svchost.com
2764	svchost.com
2568	svchost.com
2272	svchost.com
2924	svchost.com
2272	svchost.com
2036	svchost.com
760	svchost.com
760	svchost.com
2952	svchost.com
2952	svchost.com
1536	svchost.com
1980	svchost.com
1980	svchost.com
3032	svchost.com
892	svchost.com
892	svchost.com
2744	svchost.com
2792	svchost.com
2792	svchost.com
2796	SERVER BOT.EXE
2664	SERVER~1.EXE
2756	svchost.com
2584	svchost.com
2584	svchost.com
2044	svchost.com
2044	svchost.com
2060	svchost.com
1484	svchost.com
1936	svchost.com
712	svchost.com
2064	svchost.com
1500	svchost.com
1500	svchost.com
2072	svchost.com
2100	svchost.com
2100	svchost.com
2664	SERVER~1.EXE
2480	svchost.com
2364	svchost.com
2364	svchost.com
2696	svchost.com
2560	svchost.com
2560	svchost.com
2664	SERVER~1.EXE
2784	svchost.com
2816	svchost.com
2868	svchost.com
2868	svchost.com
2792	svchost.com
2792	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	SERVER BOT.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	SERVER~1.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	SERVER~1.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	SERVER~1.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	SERVER~1.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	SERVER~1.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	SERVER~1.EXE
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	SERVER~1.EXE
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	SERVER~1.EXE
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	SERVER~1.EXE
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	SERVER~1.EXE
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	SERVER~1.EXE
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	SERVER~1.EXE
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	SERVER~1.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	SERVER~1.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	SERVER~1.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	SERVER~1.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	SERVER~1.EXE
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	SERVER~1.EXE
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	SERVER~1.EXE
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	SERVER~1.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	SERVER~1.EXE
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	SERVER~1.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	SERVER~1.EXE
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	SERVER~1.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	SERVER~1.EXE
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	SERVER~1.EXE

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	SERVER~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	SERVER~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	SERVER~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	SERVER BOT.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	SERVER~1.EXE
File opened for modification	C:\Windows\directx.sys	SERVER~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	SERVER~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	SERVER~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	SERVER~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	SERVER~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	SERVER~1.EXE
File opened for modification	C:\Windows\svchost.com	SERVER~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	SERVER~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	SERVER~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
10960	4496	Process not Found	631

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SYSTEM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NUMIFY~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER BOT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NUMIFY~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SYSTEM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NUMIFY V3-CRACKED BY SPARTOR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SYSTEM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SYSTEM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SYSTEM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SYSTEM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SYSTEM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NUMIFY~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NUMIFY~1.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 30 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
10828	Process not Found
13468	Process not Found
12492	Process not Found
4428	Process not Found
13636	Process not Found
14000	Process not Found
7240	Process not Found
3980	Process not Found
13848	Process not Found
10732	Process not Found
8788	Process not Found
12104	Process not Found
5828	Process not Found
10424	Process not Found
12100	Process not Found
12876	Process not Found
13548	Process not Found
10852	Process not Found
12480	Process not Found
1496	Process not Found
11664	Process not Found
13380	Process not Found
14076	Process not Found
7740	Process not Found
12404	Process not Found
13236	Process not Found
11028	Process not Found
5556	Process not Found
13164	Process not Found
11348	Process not Found

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	SERVER BOT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2700	2232	Numify v3-Cracked by SpArtOr.exe	80
PID 2232 wrote to memory of 2700	2232	Numify v3-Cracked by SpArtOr.exe	80
PID 2232 wrote to memory of 2700	2232	Numify v3-Cracked by SpArtOr.exe	80
PID 2232 wrote to memory of 2700	2232	Numify v3-Cracked by SpArtOr.exe	80
PID 2232 wrote to memory of 2796	2232	Numify v3-Cracked by SpArtOr.exe	31
PID 2232 wrote to memory of 2796	2232	Numify v3-Cracked by SpArtOr.exe	31
PID 2232 wrote to memory of 2796	2232	Numify v3-Cracked by SpArtOr.exe	31
PID 2232 wrote to memory of 2796	2232	Numify v3-Cracked by SpArtOr.exe	31
PID 2700 wrote to memory of 2684	2700	NUMIFY V3-CRACKED BY SPARTOR.EXE	142
PID 2700 wrote to memory of 2684	2700	NUMIFY V3-CRACKED BY SPARTOR.EXE	142
PID 2700 wrote to memory of 2684	2700	NUMIFY V3-CRACKED BY SPARTOR.EXE	142
PID 2700 wrote to memory of 2684	2700	NUMIFY V3-CRACKED BY SPARTOR.EXE	142
PID 2796 wrote to memory of 2384	2796	SERVER BOT.EXE	81
PID 2796 wrote to memory of 2384	2796	SERVER BOT.EXE	81
PID 2796 wrote to memory of 2384	2796	SERVER BOT.EXE	81
PID 2796 wrote to memory of 2384	2796	SERVER BOT.EXE	81
PID 2700 wrote to memory of 2572	2700	NUMIFY V3-CRACKED BY SPARTOR.EXE	34
PID 2700 wrote to memory of 2572	2700	NUMIFY V3-CRACKED BY SPARTOR.EXE	34
PID 2700 wrote to memory of 2572	2700	NUMIFY V3-CRACKED BY SPARTOR.EXE	34
PID 2700 wrote to memory of 2572	2700	NUMIFY V3-CRACKED BY SPARTOR.EXE	34
PID 2572 wrote to memory of 2664	2572	svchost.com	35
PID 2572 wrote to memory of 2664	2572	svchost.com	35
PID 2572 wrote to memory of 2664	2572	svchost.com	35
PID 2572 wrote to memory of 2664	2572	svchost.com	35
PID 2384 wrote to memory of 2568	2384	SERVER BOT.EXE	36
PID 2384 wrote to memory of 2568	2384	SERVER BOT.EXE	36
PID 2384 wrote to memory of 2568	2384	SERVER BOT.EXE	36
PID 2384 wrote to memory of 2568	2384	SERVER BOT.EXE	36
PID 2384 wrote to memory of 2616	2384	SERVER BOT.EXE	37
PID 2384 wrote to memory of 2616	2384	SERVER BOT.EXE	37
PID 2384 wrote to memory of 2616	2384	SERVER BOT.EXE	37
PID 2384 wrote to memory of 2616	2384	SERVER BOT.EXE	37
PID 2684 wrote to memory of 276	2684	NUMIFY V3-CRACKED BY SPARTOR.EXE	39
PID 2684 wrote to memory of 276	2684	NUMIFY V3-CRACKED BY SPARTOR.EXE	39
PID 2684 wrote to memory of 276	2684	NUMIFY V3-CRACKED BY SPARTOR.EXE	39
PID 2684 wrote to memory of 276	2684	NUMIFY V3-CRACKED BY SPARTOR.EXE	39
PID 2684 wrote to memory of 576	2684	NUMIFY V3-CRACKED BY SPARTOR.EXE	40
PID 2684 wrote to memory of 576	2684	NUMIFY V3-CRACKED BY SPARTOR.EXE	40
PID 2684 wrote to memory of 576	2684	NUMIFY V3-CRACKED BY SPARTOR.EXE	40
PID 2684 wrote to memory of 576	2684	NUMIFY V3-CRACKED BY SPARTOR.EXE	40
PID 2664 wrote to memory of 2720	2664	SERVER~1.EXE	38
PID 2664 wrote to memory of 2720	2664	SERVER~1.EXE	38
PID 2664 wrote to memory of 2720	2664	SERVER~1.EXE	38
PID 2664 wrote to memory of 2720	2664	SERVER~1.EXE	38
PID 576 wrote to memory of 2588	576	svchost.com	42
PID 576 wrote to memory of 2588	576	svchost.com	42
PID 576 wrote to memory of 2588	576	svchost.com	42
PID 576 wrote to memory of 2588	576	svchost.com	42
PID 2616 wrote to memory of 3024	2616	svchost.com	41
PID 2616 wrote to memory of 3024	2616	svchost.com	41
PID 2616 wrote to memory of 3024	2616	svchost.com	41
PID 2616 wrote to memory of 3024	2616	svchost.com	41
PID 276 wrote to memory of 2356	276	svchost.com	186
PID 276 wrote to memory of 2356	276	svchost.com	186
PID 276 wrote to memory of 2356	276	svchost.com	186
PID 276 wrote to memory of 2356	276	svchost.com	186
PID 2720 wrote to memory of 236	2720	svchost.com	168
PID 2720 wrote to memory of 236	2720	svchost.com	168
PID 2720 wrote to memory of 236	2720	svchost.com	168
PID 2720 wrote to memory of 236	2720	svchost.com	168
PID 2356 wrote to memory of 984	2356	NUMIFY~1.EXE	45
PID 2356 wrote to memory of 984	2356	NUMIFY~1.EXE	45
PID 2356 wrote to memory of 984	2356	NUMIFY~1.EXE	45
PID 2356 wrote to memory of 984	2356	NUMIFY~1.EXE	45

C:\Users\Admin\AppData\Local\Temp\Numify v3-Cracked by SpArtOr.exe
"C:\Users\Admin\AppData\Local\Temp\Numify v3-Cracked by SpArtOr.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\NUMIFY V3-CRACKED BY SPARTOR.EXE
  "C:\Users\Admin\AppData\Local\Temp\NUMIFY V3-CRACKED BY SPARTOR.EXE"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\NUMIFY V3-CRACKED BY SPARTOR.EXE
    "C:\Users\Admin\AppData\Local\Temp\NUMIFY V3-CRACKED BY SPARTOR.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:276
    - - C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2356
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        8⤵
        Executes dropped EXE
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        10⤵
        Executes dropped EXE
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        11⤵
        
        PID:1972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        13⤵
        
        PID:272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        15⤵
        
        PID:2624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        17⤵
        
        PID:2352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        18⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        20⤵
        Drops file in Windows directory
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        21⤵
        
        PID:896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        22⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        23⤵
        
        PID:908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        24⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        25⤵
        
        PID:956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        26⤵
        Drops file in Windows directory
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        27⤵
        
        PID:2320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        28⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        29⤵
        
        PID:2668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        30⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        31⤵
        
        PID:2956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        32⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        33⤵
        
        PID:2860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        35⤵
        
        PID:2004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        36⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        37⤵
        
        PID:3096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        38⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        39⤵
        
        PID:3580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        40⤵
        Drops file in Windows directory
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        41⤵
        
        PID:3812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        42⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        44⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        45⤵
        
        PID:3364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        46⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        47⤵
        
        PID:3836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        48⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        49⤵
        
        PID:2396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        50⤵
        Drops file in Windows directory
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        51⤵
        
        PID:3188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        52⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        53⤵
        
        PID:3084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        54⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        55⤵
        
        PID:4084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        56⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        57⤵
        
        PID:3660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        58⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        59⤵
        
        PID:3472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        60⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        61⤵
        
        PID:3636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        62⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        63⤵
        
        PID:4188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        64⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        65⤵
        
        PID:4728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        66⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        67⤵
        
        PID:4980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        68⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        69⤵
        
        PID:4900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        70⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        71⤵
        
        PID:4944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        72⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        73⤵
        
        PID:2008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        74⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        75⤵
        
        PID:4724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        76⤵
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        77⤵
        
        PID:5664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        78⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        79⤵
        
        PID:5884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        80⤵
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        81⤵
        
        PID:5220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        82⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        83⤵
        
        PID:3244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        84⤵
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        85⤵
        
        PID:5096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        86⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        87⤵
        
        PID:5220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        88⤵
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        89⤵
        
        PID:3544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        90⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        91⤵
        
        PID:6096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        92⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        93⤵
        
        PID:4496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        94⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        95⤵
        
        PID:6108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        96⤵
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        97⤵
        
        PID:5168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        98⤵
        
        PID:6304
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        99⤵
        
        PID:6404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        100⤵
        
        PID:6604
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        101⤵
        
        PID:6640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        102⤵
        
        PID:6880
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        103⤵
        
        PID:6924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        104⤵
        
        PID:6136
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        105⤵
        
        PID:6208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        106⤵
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        107⤵
        
        PID:6432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        108⤵
        
        PID:6472
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        109⤵
        
        PID:6428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        110⤵
        
        PID:6704
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        111⤵
        
        PID:6640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        112⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        113⤵
        
        PID:6496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        114⤵
        
        PID:6164
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        115⤵
        
        PID:6544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        116⤵
        
        PID:6588
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        117⤵
        
        PID:5996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        118⤵
        
        PID:6352
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        119⤵
        
        PID:6388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        120⤵
        
        PID:7116
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        121⤵
        
        PID:6344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        122⤵
        
        PID:6220
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        123⤵
        
        PID:6984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        124⤵
        
        PID:6484
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        125⤵
        
        PID:7176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        126⤵
        
        PID:7380
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        127⤵
        
        PID:7428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        128⤵
        
        PID:7616
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        129⤵
        
        PID:7764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        130⤵
        
        PID:7900
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        131⤵
        
        PID:8024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        132⤵
        
        PID:6444
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        133⤵
        
        PID:7752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        134⤵
        
        PID:8016
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        135⤵
        
        PID:4996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        136⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        137⤵
        
        PID:7848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        138⤵
        
        PID:8024
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        139⤵
        
        PID:5920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        140⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        141⤵
        
        PID:5524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        142⤵
        
        PID:8244
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        143⤵
        
        PID:8340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        144⤵
        
        PID:8424
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        145⤵
        
        PID:8456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        146⤵
        
        PID:8528
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        147⤵
        
        PID:8624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        148⤵
        
        PID:8768
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        149⤵
        
        PID:9020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        150⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        151⤵
        
        PID:4800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        152⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        153⤵
        
        PID:8520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        154⤵
        
        PID:8700
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        155⤵
        
        PID:8824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        156⤵
        
        PID:8400
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        157⤵
        
        PID:8492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        158⤵
        
        PID:8424
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        159⤵
        
        PID:8256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        160⤵
        
        PID:8500
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        161⤵
        
        PID:9100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        162⤵
        
        PID:8356
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        163⤵
        
        PID:8348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        164⤵
        
        PID:8256
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        165⤵
        
        PID:9008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        166⤵
        
        PID:7616
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        167⤵
        
        PID:8348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        168⤵
        
        PID:7072
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        169⤵
        
        PID:6676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        170⤵
        
        PID:9308
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        171⤵
        
        PID:9516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        172⤵
        
        PID:9720
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        173⤵
        
        PID:9780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        174⤵
        
        PID:10012
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        175⤵
        
        PID:10168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        176⤵
        
        PID:8648
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        177⤵
        
        PID:8484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        178⤵
        
        PID:9776
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        179⤵
        
        PID:9728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        180⤵
        
        PID:9652
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        181⤵
        
        PID:9616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        182⤵
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        183⤵
        
        PID:9936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        184⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        185⤵
        
        PID:9812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        186⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        187⤵
        
        PID:9940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        188⤵
        
        PID:10456
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        189⤵
        
        PID:10596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        190⤵
        
        PID:10824
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        191⤵
        
        PID:10900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        192⤵
        
        PID:10988
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        193⤵
        
        PID:11096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        194⤵
        
        PID:10272
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        195⤵
        
        PID:9892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        196⤵
        
        PID:10776
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        197⤵
        
        PID:10740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        198⤵
        
        PID:10872
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        199⤵
        
        PID:10696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        200⤵
        
        PID:11048
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        201⤵
        
        PID:11256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        202⤵
        
        PID:9728
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        203⤵
        
        PID:10332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        204⤵
        
        PID:10556
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        205⤵
        
        PID:11160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        206⤵
        
        PID:10012
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        207⤵
        
        PID:10856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        208⤵
        
        PID:10740
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        209⤵
        
        PID:9812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        210⤵
        
        PID:11100
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        211⤵
        
        PID:9204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        212⤵
        
        PID:11172
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        213⤵
        
        PID:9408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        214⤵
        
        PID:11448
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        215⤵
        
        PID:11684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        214⤵
        
        PID:11464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        212⤵
        
        PID:10848
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        213⤵
        
        PID:11084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        214⤵
        
        PID:11412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        215⤵
        
        PID:11856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        210⤵
        
        PID:11236
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        211⤵
        
        PID:11212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        212⤵
        
        PID:10740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        213⤵
        
        PID:10176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        214⤵
        
        PID:11568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        214⤵
        
        PID:11576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        208⤵
        
        PID:10456
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        209⤵
        
        PID:10624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        210⤵
        
        PID:10152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        211⤵
        
        PID:10188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        212⤵
        
        PID:11204
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        213⤵
        
        PID:11356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        212⤵
        
        PID:9436
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        213⤵
        
        PID:11388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        206⤵
        
        PID:10028
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        207⤵
        
        PID:10952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        208⤵
        
        PID:10556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        209⤵
        
        PID:10696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        210⤵
        
        PID:10028
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        211⤵
        
        PID:4648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        210⤵
        
        PID:11160
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        211⤵
        
        PID:9812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        204⤵
        
        PID:10604
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        205⤵
        
        PID:11192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        206⤵
        
        PID:10988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        207⤵
        
        PID:11204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        208⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        209⤵
        
        PID:11092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        208⤵
        
        PID:10928
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        209⤵
        
        PID:9960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        202⤵
        
        PID:9960
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        203⤵
        
        PID:10516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        204⤵
        
        PID:11216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        205⤵
        
        PID:10472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        206⤵
        
        PID:10828
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        207⤵
        
        PID:9952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        206⤵
        
        PID:10872
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        207⤵
        
        PID:10604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        200⤵
        
        PID:11176
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        201⤵
        
        PID:11096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        202⤵
        
        PID:10132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        203⤵
        
        PID:11080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        204⤵
        
        PID:10284
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        205⤵
        
        PID:10776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        204⤵
        
        PID:11260
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        205⤵
        
        PID:10840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        198⤵
        
        PID:10836
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        199⤵
        
        PID:10996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        200⤵
        
        PID:11184
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        201⤵
        
        PID:11108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        202⤵
        
        PID:10396
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        203⤵
        
        PID:9292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        202⤵
        
        PID:9844
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        203⤵
        
        PID:10792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        196⤵
        
        PID:10416
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        197⤵
        
        PID:10864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        198⤵
        
        PID:10812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        199⤵
        
        PID:11252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        200⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        201⤵
        
        PID:10808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        200⤵
        
        PID:10420
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        201⤵
        
        PID:10260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        194⤵
        
        PID:10264
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        195⤵
        
        PID:10604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        196⤵
        
        PID:10708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        192⤵
        
        PID:11104
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        193⤵
        
        PID:11232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        194⤵
        
        PID:9932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        195⤵
        
        PID:9984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        196⤵
        
        PID:8312
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        197⤵
        
        PID:10684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        196⤵
        
        PID:10560
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        197⤵
        
        PID:4204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        190⤵
        
        PID:10836
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        191⤵
        
        PID:10868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        192⤵
        
        PID:11032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        193⤵
        
        PID:11204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        194⤵
        
        PID:9908
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        195⤵
        
        PID:10404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        194⤵
        
        PID:9684
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        195⤵
        
        PID:10436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        188⤵
        
        PID:10464
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        189⤵
        
        PID:10696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        190⤵
        
        PID:11044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        191⤵
        
        PID:11172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        192⤵
        
        PID:10020
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        193⤵
        
        PID:10480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        192⤵
        
        PID:9700
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        193⤵
        
        PID:6968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        186⤵
        
        PID:9060
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        187⤵
        
        PID:10412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        188⤵
        
        PID:10628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        189⤵
        
        PID:10808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        190⤵
        
        PID:10964
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        191⤵
        
        PID:11016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        190⤵
        
        PID:11024
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        191⤵
        
        PID:11144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        184⤵
        
        PID:9960
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        185⤵
        
        PID:9876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        186⤵
        
        PID:10016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        187⤵
        
        PID:9288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        188⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        189⤵
        
        PID:10440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        188⤵
        
        PID:8648
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        189⤵
        
        PID:10248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        182⤵
        
        PID:9876
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        183⤵
        
        PID:7620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        184⤵
        
        PID:10028
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        185⤵
        
        PID:10024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        186⤵
        
        PID:10316
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        187⤵
        
        PID:10492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        186⤵
        
        PID:10324
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        187⤵
        
        PID:10524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        180⤵
        
        PID:9264
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        181⤵
        
        PID:9680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        182⤵
        
        PID:9896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        183⤵
        
        PID:9288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        184⤵
        
        PID:9772
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        185⤵
        
        PID:10276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        184⤵
        
        PID:9252
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        185⤵
        
        PID:9616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        178⤵
        
        PID:9888
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        179⤵
        
        PID:10008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        180⤵
        
        PID:9504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        181⤵
        
        PID:9772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        182⤵
        
        PID:9912
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        183⤵
        
        PID:9656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        182⤵
        
        PID:8484
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        183⤵
        
        PID:9592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        176⤵
        
        PID:9324
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        177⤵
        
        PID:9664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        178⤵
        
        PID:9796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        179⤵
        
        PID:9892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        180⤵
        
        PID:10128
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        181⤵
        
        PID:8256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        180⤵
        
        PID:9976
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        181⤵
        
        PID:8940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        174⤵
        
        PID:10020
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        175⤵
        
        PID:10196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        176⤵
        
        PID:9288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        177⤵
        
        PID:9508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        178⤵
        
        PID:9644
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        179⤵
        
        PID:9816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        178⤵
        
        PID:9944
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        179⤵
        
        PID:4144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        172⤵
        
        PID:9728
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        173⤵
        
        PID:9824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        174⤵
        
        PID:9976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        175⤵
        
        PID:10128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        176⤵
        
        PID:9220
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        177⤵
        
        PID:9472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        176⤵
        
        PID:8340
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        177⤵
        
        PID:5488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        170⤵
        
        PID:9316
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        171⤵
        
        PID:9488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        172⤵
        
        PID:9640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        173⤵
        
        PID:9708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        174⤵
        
        PID:9852
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        175⤵
        
        PID:9964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        174⤵
        
        PID:9880
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        175⤵
        
        PID:9920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        168⤵
        
        PID:8808
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        169⤵
        
        PID:6960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        170⤵
        
        PID:8724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        166⤵
        
        PID:9100
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        167⤵
        
        PID:7228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        168⤵
        
        PID:8944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        164⤵
        
        PID:8920
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        165⤵
        
        PID:2288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        162⤵
        
        PID:8404
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        163⤵
        
        PID:8456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        164⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        165⤵
        
        PID:8356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        166⤵
        
        PID:6660
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        167⤵
        
        PID:9232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        166⤵
        
        PID:8480
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        167⤵
        
        PID:8280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        160⤵
        
        PID:9108
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        161⤵
        
        PID:7908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        162⤵
        
        PID:9208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        158⤵
        
        PID:8680
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        159⤵
        
        PID:8636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        160⤵
        
        PID:8956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        156⤵
        
        PID:8248
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        157⤵
        
        PID:2768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        158⤵
        
        PID:8692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        159⤵
        
        PID:8920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        160⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        161⤵
        
        PID:8704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        160⤵
        
        PID:9132
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        161⤵
        
        PID:5036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        154⤵
        
        PID:8944
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        155⤵
        
        PID:9204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        156⤵
        
        PID:7628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        157⤵
        
        PID:8408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        158⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        159⤵
        
        PID:8416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        158⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        159⤵
        
        PID:8876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        152⤵
        
        PID:8260
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        153⤵
        
        PID:4648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        154⤵
        
        PID:8808
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        155⤵
        
        PID:8288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        156⤵
        
        PID:9088
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        157⤵
        
        PID:8628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        156⤵
        
        PID:8992
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        157⤵
        
        PID:4708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        150⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        151⤵
        
        PID:8336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        152⤵
        
        PID:8588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        153⤵
        
        PID:8500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        154⤵
        
        PID:9076
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        155⤵
        
        PID:9172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        154⤵
        
        PID:9212
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        155⤵
        
        PID:3392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        148⤵
        
        PID:8832
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        149⤵
        
        PID:6384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        150⤵
        
        PID:8484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        151⤵
        
        PID:8524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        152⤵
        
        PID:8884
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        153⤵
        
        PID:6444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        152⤵
        
        PID:8720
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        153⤵
        
        PID:8744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        146⤵
        
        PID:8548
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        147⤵
        
        PID:8636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        148⤵
        
        PID:8848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        149⤵
        
        PID:8204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        150⤵
        
        PID:8372
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        151⤵
        
        PID:536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        150⤵
        
        PID:8392
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        151⤵
        
        PID:8448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        144⤵
        
        PID:8464
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        145⤵
        
        PID:8496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        146⤵
        
        PID:8752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        147⤵
        
        PID:8824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        148⤵
        
        PID:8948
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        149⤵
        
        PID:9144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        148⤵
        
        PID:9044
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        149⤵
        
        PID:9180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        142⤵
        
        PID:8256
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        143⤵
        
        PID:8416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        144⤵
        
        PID:8648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        145⤵
        
        PID:8700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        146⤵
        
        PID:8904
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        147⤵
        
        PID:9080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        146⤵
        
        PID:9028
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        147⤵
        
        PID:3856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        140⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        141⤵
        
        PID:7856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        142⤵
        
        PID:6444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        143⤵
        
        PID:8284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        144⤵
        
        PID:8776
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        145⤵
        
        PID:8892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        144⤵
        
        PID:8840
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        145⤵
        
        PID:8980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        138⤵
        
        PID:7308
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        139⤵
        
        PID:4996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        140⤵
        
        PID:5920
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        141⤵
        
        PID:8600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        142⤵
        
        PID:8796
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        143⤵
        
        PID:8932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        142⤵
        
        PID:8856
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        143⤵
        
        PID:9112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        136⤵
        
        PID:7180
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        137⤵
        
        PID:7752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        138⤵
        
        PID:7972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        139⤵
        
        PID:7976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        140⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        141⤵
        
        PID:5060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        140⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        141⤵
        
        PID:8160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        134⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        135⤵
        
        PID:8160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        136⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        137⤵
        
        PID:4752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        138⤵
        
        PID:6140
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        139⤵
        
        PID:7752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        138⤵
        
        PID:7292
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        139⤵
        
        PID:7252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        132⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        133⤵
        
        PID:7732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        134⤵
        
        PID:8184
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        135⤵
        
        PID:7228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        136⤵
        
        PID:8136
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        137⤵
        
        PID:8116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        136⤵
        
        PID:8152
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        137⤵
        
        PID:7448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        130⤵
        
        PID:8092
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        131⤵
        
        PID:6544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        132⤵
        
        PID:7796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        133⤵
        
        PID:7320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        134⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        135⤵
        
        PID:7480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        134⤵
        
        PID:7028
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        135⤵
        
        PID:7868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        128⤵
        
        PID:7624
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        129⤵
        
        PID:7864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        130⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        131⤵
        
        PID:7956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        132⤵
        
        PID:7884
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        133⤵
        
        PID:5896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        132⤵
        
        PID:7764
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        133⤵
        
        PID:7748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        126⤵
        
        PID:7388
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        127⤵
        
        PID:7456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        128⤵
        
        PID:7796
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        129⤵
        
        PID:7976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        130⤵
        
        PID:6412
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        131⤵
        
        PID:6880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        130⤵
        
        PID:7196
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        131⤵
        
        PID:7412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        124⤵
        
        PID:7224
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        125⤵
        
        PID:7328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        126⤵
        
        PID:7480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        127⤵
        
        PID:7880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        128⤵
        
        PID:7208
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        129⤵
        
        PID:7324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        128⤵
        
        PID:6668
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        129⤵
        
        PID:7404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        122⤵
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        123⤵
        
        PID:6412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        124⤵
        
        PID:7128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        125⤵
        
        PID:6720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        126⤵
        
        PID:7184
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        127⤵
        
        PID:7216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        126⤵
        
        PID:7240
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        127⤵
        
        PID:7300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        120⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        121⤵
        
        PID:7060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        122⤵
        
        PID:5220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        123⤵
        
        PID:6308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        124⤵
        
        PID:6452
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        125⤵
        
        PID:6956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        124⤵
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        125⤵
        
        PID:4496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        118⤵
        
        PID:5220
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        119⤵
        
        PID:6524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        120⤵
        
        PID:6404
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        121⤵
        
        PID:6540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        122⤵
        
        PID:6224
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        123⤵
        
        PID:5444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        122⤵
        
        PID:6748
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        123⤵
        
        PID:4984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        116⤵
        
        PID:6740
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        117⤵
        
        PID:6224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        118⤵
        
        PID:6864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        119⤵
        
        PID:6200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        120⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        121⤵
        
        PID:6120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        120⤵
        
        PID:6516
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        121⤵
        
        PID:6816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        114⤵
        
        PID:6504
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        115⤵
        
        PID:6828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        116⤵
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        117⤵
        
        PID:5300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        118⤵
        
        PID:6988
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        119⤵
        
        PID:5996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        118⤵
        
        PID:6732
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        119⤵
        
        PID:6488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        112⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        113⤵
        
        PID:6448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        114⤵
        
        PID:6612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        115⤵
        
        PID:6632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        116⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        117⤵
        
        PID:1740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        116⤵
        
        PID:6704
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        117⤵
        
        PID:6348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        110⤵
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        111⤵
        
        PID:7148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        112⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        113⤵
        
        PID:5220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        114⤵
        
        PID:6432
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        115⤵
        
        PID:6548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        114⤵
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        115⤵
        
        PID:6304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        108⤵
        
        PID:6556
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        109⤵
        
        PID:6512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        110⤵
        
        PID:6736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        111⤵
        
        PID:6984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        112⤵
        
        PID:6892
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        113⤵
        
        PID:6176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        112⤵
        
        PID:7068
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        113⤵
        
        PID:4596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        106⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        107⤵
        
        PID:6476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        108⤵
        
        PID:6412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        109⤵
        
        PID:6848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        110⤵
        
        PID:7080
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        111⤵
        
        PID:6236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        110⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        111⤵
        
        PID:5296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        104⤵
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        105⤵
        
        PID:6016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        106⤵
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        107⤵
        
        PID:6532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        108⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        109⤵
        
        PID:6784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        108⤵
        
        PID:6684
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        109⤵
        
        PID:6636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        102⤵
        
        PID:6892
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        103⤵
        
        PID:7000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        104⤵
        
        PID:7148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        100⤵
        
        PID:6648
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        101⤵
        
        PID:6752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        102⤵
        
        PID:7112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        98⤵
        
        PID:6340
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        99⤵
        
        PID:6472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        100⤵
        
        PID:6540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        101⤵
        
        PID:6584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        102⤵
        
        PID:6932
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        103⤵
        
        PID:7032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        102⤵
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        103⤵
        
        PID:7084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        96⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        97⤵
        
        PID:4080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        98⤵
        
        PID:6412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        99⤵
        
        PID:6504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        100⤵
        
        PID:6760
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        101⤵
        
        PID:6800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        100⤵
        
        PID:6808
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        101⤵
        
        PID:6872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        94⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        95⤵
        
        PID:5952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        96⤵
        
        PID:6160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        97⤵
        
        PID:6424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        98⤵
        
        PID:6624
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        99⤵
        
        PID:6696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        98⤵
        
        PID:6660
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        99⤵
        
        PID:6724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        92⤵
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        93⤵
        
        PID:6016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        94⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        95⤵
        
        PID:4544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        96⤵
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        97⤵
        
        PID:6152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        96⤵
        
        PID:6168
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        97⤵
        
        PID:6228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        90⤵
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        91⤵
        
        PID:5900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        92⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        93⤵
        
        PID:6120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        94⤵
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        95⤵
        
        PID:6092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        94⤵
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        95⤵
        
        PID:5652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        88⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        89⤵
        
        PID:5672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        90⤵
        
        PID:6136
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        91⤵
        
        PID:3544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        92⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        93⤵
        
        PID:5508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        92⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        93⤵
        
        PID:5464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        86⤵
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        87⤵
        
        PID:3480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        88⤵
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        89⤵
        
        PID:6084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        90⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        91⤵
        
        PID:5880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        90⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        91⤵
        
        PID:5888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        84⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        85⤵
        
        PID:5840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        86⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        87⤵
        
        PID:5752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        88⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        89⤵
        
        PID:3260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        88⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        89⤵
        
        PID:3780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        82⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        83⤵
        
        PID:4416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        84⤵
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        85⤵
        
        PID:5900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        86⤵
        
        PID:5524
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        87⤵
        
        PID:5264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        86⤵
        
        PID:5760
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        87⤵
        
        PID:4784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        80⤵
        
        PID:6076
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        81⤵
        
        PID:6104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        82⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        83⤵
        
        PID:5292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        84⤵
        
        PID:5304
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        85⤵
        
        PID:5816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        84⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        85⤵
        
        PID:5656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        78⤵
        
        PID:5760
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        79⤵
        
        PID:5804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        80⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        81⤵
        
        PID:4188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        82⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        83⤵
        
        PID:4500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        82⤵
        
        PID:5384
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        83⤵
        
        PID:4824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        76⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        77⤵
        
        PID:4496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        78⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        79⤵
        
        PID:5640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        80⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        81⤵
        
        PID:5856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        80⤵
        
        PID:5892
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        81⤵
        
        PID:6020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        74⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        75⤵
        
        PID:4220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        76⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        77⤵
        
        PID:5620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        78⤵
        
        PID:5920
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        79⤵
        
        PID:5956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        78⤵
        
        PID:5980
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        79⤵
        
        PID:6008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        72⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        73⤵
        
        PID:2352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        74⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        75⤵
        
        PID:4912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        76⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        77⤵
        
        PID:5684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        76⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        77⤵
        
        PID:5708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        70⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        71⤵
        
        PID:5056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        72⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        73⤵
        
        PID:4648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        74⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        75⤵
        
        PID:592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        74⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        75⤵
        
        PID:5424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        68⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        69⤵
        
        PID:4676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        70⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        71⤵
        
        PID:5084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        72⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        73⤵
        
        PID:4660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        72⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        73⤵
        
        PID:4668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        66⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        67⤵
        
        PID:5076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        68⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        69⤵
        
        PID:4664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        70⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        71⤵
        
        PID:5112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        70⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        71⤵
        
        PID:3948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        64⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        65⤵
        
        PID:4680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        66⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        67⤵
        
        PID:4912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        68⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        69⤵
        
        PID:4552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        68⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        69⤵
        
        PID:4592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        62⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        63⤵
        
        PID:4292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        64⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        65⤵
        
        PID:4504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        66⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        67⤵
        
        PID:5008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        66⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        67⤵
        
        PID:4040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        60⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        61⤵
        
        PID:3580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        62⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        63⤵
        
        PID:4108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        64⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        65⤵
        
        PID:4380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        64⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        65⤵
        
        PID:4420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        58⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        59⤵
        
        PID:4088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        60⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        61⤵
        
        PID:4256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        62⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        63⤵
        
        PID:4804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        62⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        63⤵
        
        PID:4872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        56⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        57⤵
        
        PID:4040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        58⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        59⤵
        
        PID:1824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        60⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        61⤵
        
        PID:4652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        60⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        61⤵
        
        PID:4556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        55⤵
        
        PID:3636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        56⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        57⤵
        
        PID:3564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        58⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        59⤵
        
        PID:3324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        58⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        59⤵
        
        PID:3192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        52⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        53⤵
        
        PID:3584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        54⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        56⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        57⤵
        
        PID:3616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        56⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        57⤵
        
        PID:2104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        50⤵
        Drops file in Windows directory
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        51⤵
        
        PID:3472
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        52⤵
        Drops file in Windows directory
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        53⤵
        
        PID:3996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        54⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        55⤵
        
        PID:3920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        54⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        48⤵
        Drops file in Windows directory
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        49⤵
        Drops file in Windows directory
        
        PID:4036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        50⤵
        Drops file in Windows directory
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        51⤵
        
        PID:3424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        52⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        53⤵
        
        PID:3156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        52⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        53⤵
        
        PID:3428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        46⤵
        Drops file in Windows directory
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        47⤵
        Drops file in Windows directory
        
        PID:3888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        48⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        49⤵
        
        PID:3120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        50⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        50⤵
        Drops file in Windows directory
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        51⤵
        
        PID:3836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        45⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        46⤵
        Drops file in Windows directory
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        47⤵
        
        PID:3800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        48⤵
        Drops file in Windows directory
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        49⤵
        
        PID:3076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        48⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        49⤵
        
        PID:4020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        43⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        44⤵
        Drops file in Windows directory
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        46⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        47⤵
        
        PID:3832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        46⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        47⤵
        
        PID:3808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        40⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        41⤵
        
        PID:3936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        42⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        44⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        45⤵
        
        PID:3608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        44⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        45⤵
        
        PID:3620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        38⤵
        Drops file in Windows directory
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        39⤵
        
        PID:3624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        40⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        41⤵
        
        PID:3852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        42⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        43⤵
        
        PID:2820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        42⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        36⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        37⤵
        Drops file in Windows directory
        
        PID:3132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        38⤵
        Drops file in Windows directory
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        39⤵
        
        PID:3680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        40⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        41⤵
        
        PID:3908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        40⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        34⤵
        Drops file in Windows directory
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        35⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        36⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:3228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        38⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        39⤵
        
        PID:3440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        38⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        39⤵
        
        PID:3492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        32⤵
        Drops file in Windows directory
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        33⤵
        
        PID:1536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        34⤵
        Drops file in Windows directory
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        35⤵
        
        PID:956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        36⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        37⤵
        
        PID:3292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        30⤵
        
        PID:236
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        31⤵
        Drops file in Windows directory
        
        PID:2924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        32⤵
        Drops file in Windows directory
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        33⤵
        
        PID:2888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        34⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        35⤵
        
        PID:1484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        35⤵
        
        PID:2860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        28⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        29⤵
        
        PID:592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        30⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        31⤵
        
        PID:536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        32⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        33⤵
        
        PID:2356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        26⤵
        Drops file in Windows directory
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        27⤵
        Drops file in Windows directory
        
        PID:1996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        28⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        29⤵
        
        PID:2764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        31⤵
        
        PID:1688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        30⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        31⤵
        
        PID:1292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        24⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        25⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        26⤵
        Drops file in Windows directory
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        28⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        29⤵
        
        PID:2476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        28⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        22⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        23⤵
        
        PID:1952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        24⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        25⤵
        
        PID:1756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        26⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        26⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        20⤵
        Loads dropped DLL
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        22⤵
        Drops file in Windows directory
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        24⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        25⤵
        
        PID:860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        25⤵
        
        PID:2684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        18⤵
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        20⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        21⤵
        
        PID:1744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        22⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        23⤵
        
        PID:2748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        22⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        17⤵
        
        PID:1940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        18⤵
        Loads dropped DLL
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        20⤵
        Loads dropped DLL
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        20⤵
        Loads dropped DLL
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        21⤵
        
        PID:1112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        18⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        19⤵
        
        PID:3012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        13⤵
        Executes dropped EXE
        
        PID:1320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        15⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        17⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        17⤵
        
        PID:1720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        15⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        15⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        9⤵
        Executes dropped EXE
        
        PID:1264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        11⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        13⤵
        Executes dropped EXE
        
        PID:984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        13⤵
        Executes dropped EXE
        
        PID:324
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        9⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        11⤵
        Executes dropped EXE
        
        PID:2700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        11⤵
        Executes dropped EXE
        
        PID:2648
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:576
    - - C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        5⤵
        Executes dropped EXE
        
        PID:2588
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        9⤵
        Executes dropped EXE
        
        PID:1728
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
      C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        6⤵
        Executes dropped EXE
        
        PID:236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        8⤵
        Executes dropped EXE
        
        PID:688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        8⤵
        Executes dropped EXE
        
        PID:1588
- C:\Users\Admin\AppData\Local\Temp\SERVER BOT.EXE
  "C:\Users\Admin\AppData\Local\Temp\SERVER BOT.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER BOT.EXE
    "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER BOT.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2568
    - - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        5⤵
        Executes dropped EXE
        
        PID:2492
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        5⤵
        Executes dropped EXE
        
        PID:3024

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\Users\Admin\AppData\Local\05039a44b73f973d6341ee5ab9aaeb9b\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
449B

MD5
2c92a7f9360614c3426ac4c803115848

SHA1
b821aa4c3735c80b755fa2ceb557cf0ee9f0cda3

SHA256
ebac39e8eace1e28c0540e638ddf4f8e774d562ee29914998447d9e5da22578f

SHA512
ae8c5404c793c19799e3b022f5ac9d084962f88ff6e7be03a297edb392d444bc3df1342bd023184b691e033b80a9b4fcb85e73ccfd9b2efc2fe78f95517a7831

Download Submit
C:\Users\Admin\AppData\Local\05039a44b73f973d6341ee5ab9aaeb9b\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
2KB

MD5
f3df0715f1bc4cfe7df04fc5ee208279

SHA1
7d5cd54b78829665291d34e66dbdfc4efb262a3d

SHA256
672067acfa11f28657ee5b193a8f928451df0fa614b8c2f935a827ffd710791e

SHA512
a1bd58b2c99ba6064dcf5fc93628a4d9133ec69dd1f6d777555b0b94fe965851ebb1c792fe2fccfb78401b202f402ab4c4e20a9f2a0856f133b0263118ed253b

Download Submit
C:\Users\Admin\AppData\Local\05039a44b73f973d6341ee5ab9aaeb9b\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
3KB

MD5
ad5284d0a4bf40b33fdd499705791f36

SHA1
999e9a8d9edda086806af771ab1f95668fcffeda

SHA256
36dd46c21f89fea1f74908ecd99613478257f98f2d6200d28cac2c02e0cd1a57

SHA512
d0c81d60ce3f8c460b6afaaa0f02a855cb00a21202950f4db0b802add7f5689130d9f50f0fe92801f9e1b1454f4582ef0567a46ffc4e7c62743129a6d3acad2d

Download Submit
C:\Users\Admin\AppData\Local\12b4d00d258a1d161f055be15e52145f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
1KB

MD5
cee74933c2dba7e9d13d0bca8bfab1b1

SHA1
748ae39d92e78f7096918d3970555004d988da74

SHA256
1a3ab556009c4859bda4cceb38374db4aa403e39af7a9ab23955a16ce580a1db

SHA512
911e9b27912b354943f777865695645b3da8a42047f7da650f7d75accef2f0aa07a620a999d19749fd057f84983ae3ae8f076003de5761d6f763694704d7a22e

Download Submit
C:\Users\Admin\AppData\Local\12b4d00d258a1d161f055be15e52145f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
691B

MD5
6ed8e2b8b3167b9f50c5eadd44d33a5e

SHA1
5741002de857dab080140921bdd5098a83e26f85

SHA256
8d66292b9dd977ac26ae56c142a73f06df46d8b9f5544a47959d4d8d9084dd74

SHA512
0065c00a1e39192e2949840ababff0ec9bfb09c2e5bc06ac9e30dbe7546f8d2e0142918886a54a22213337d4619334934680fff19d33b64f840c8d97159a7a74

Download Submit
C:\Users\Admin\AppData\Local\12b4d00d258a1d161f055be15e52145f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
1KB

MD5
e753101e241ea1437528da4020e09362

SHA1
fb06b46f6a19a349421e4e74431c141c9a7b1f2e

SHA256
0bc42f9a43e5fe3408596b8bfe545887980ca6b73091f1420bcbe352a53a7737

SHA512
1c24c3428eb5e55734c84295b92ddfe576d986d38d15c1764f18b2548f63574ef0b0e696bf6f9b234dc42c8419903c4dd8da324bb797fb41ae7d46841accd9df

Download Submit
C:\Users\Admin\AppData\Local\19b99f596f4d554fe8a883b639e4030d\Admin@CCJBVTGQ_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
210B

MD5
1267f4be35fbe5510886cf08ddee9fdd

SHA1
04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9

SHA256
ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3

SHA512
6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b

Download Submit
C:\Users\Admin\AppData\Local\19b99f596f4d554fe8a883b639e4030d\Admin@CCJBVTGQ_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
315B

MD5
71227f862899452aa270d580a8b090c8

SHA1
13a6dc9506be2066777ec34acbe5ab62684c4929

SHA256
22e5316f3216208507c8ae67cbb2a90cfcf4389dae87f8f71c3388593eca57c1

SHA512
126c549e82d679bb9d3e229b09c3dded86b72aa5a98cb956a0d2a740ca43a4da14049134c3836c49ef50e76bb0a69fe158bb776a4c86a7e7b04893ced8ba5b5a

Download Submit
C:\Users\Admin\AppData\Local\19b99f596f4d554fe8a883b639e4030d\Admin@CCJBVTGQ_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\19b99f596f4d554fe8a883b639e4030d\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
750d332c9eb0a5d7930ab1a2c155b43c

SHA1
8d7f80b84197b58b90c90763ffc52e02a7895c12

SHA256
71d65239939d40a9e2ae40b164b03f22213e5a3e4868d30d8960efa82c378397

SHA512
7ec191dea89d6076716cafe62765635b43937ff073ddcfcbe37d93cb21f368a2fcf35c160146c3c37def5dfb4c53b22d35e2ddb900bfd02caa35c1aaf5c8a984

Download Submit
C:\Users\Admin\AppData\Local\19b99f596f4d554fe8a883b639e4030d\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
2KB

MD5
6b71e1d646e89a837aee0e4f0aeaea54

SHA1
971ecabe4af201eb907017bac658d57aab3b58fc

SHA256
54db91edb5e3f0187438ffa86e80814d910f43234dd8e6d623c9d1ff1aca0110

SHA512
64f7f88e1f90cbfd6c4c03757e6dbc73ac24ec2ebcc01cb2e1febb8feed2ef7c6dfab57c44255ab1e327d424b6a3ea27930973fdf75038b0891a914a32ed0d26

Download Submit
C:\Users\Admin\AppData\Local\19b99f596f4d554fe8a883b639e4030d\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
45f45c3e28b6b0937a6b0abc5e39e91f

SHA1
887e3b166cf30d5bb8a639d7c98ae38e651b69ca

SHA256
885b10101584201aa5d647ee91ea6a39d70a56cb2310fcf6f43eb9aa9b3020d2

SHA512
b144a4942e76a1b73a00747d00cf840d998089a8ed928d8e363522b74aed05e1a15153e9135063b83b342f7f866a8379d87c482ca07bc16da9b947b158e3a27e

Download Submit
C:\Users\Admin\AppData\Local\19b99f596f4d554fe8a883b639e4030d\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
218B

MD5
770ec9175eeaca97f67f42bd99e5b0c9

SHA1
85cd3080bb472404618a30f991caa556d49b46e4

SHA256
ef8d37af9463032d8216f97a012f8c1e979422e9bf2c49903b9b9a1f8fc7afc9

SHA512
a35dea213e2b7b87c7bdfbd29c9ebd4decacb948e3d37f0457a650292ae3695e4af6319a6c9f2d63c8584a06162350126190bf018074844fd360357e71a458f7

Download Submit
C:\Users\Admin\AppData\Local\3350a8b673d485a30a60853066ba34ac\Admin@CCJBVTGQ_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\3350a8b673d485a30a60853066ba34ac\Admin@CCJBVTGQ_en-US\Directories\Temp.txt

Filesize
9KB

MD5
4f15fdf0fe213f68cafab25acb4ad2b8

SHA1
c714a43382975a5181dccb26d4911632c5ee039f

SHA256
72ff83c78c159e761da12eddb45f87bc9b18d23ccfe306f8345b1da164388dad

SHA512
2b641727b4a9115b0c833579d6aae8b430cab24a56b134739836d1f69a9cec7ea371286fb2f629846054f823d0b7a8b7aa1203537f90ddfdb93309fa5c169be2

Download Submit
C:\Users\Admin\AppData\Local\9b9ee9dd04458a34fd24efcc9cbe5a28\Admin@CCJBVTGQ_en-US\Directories\Documents.txt

Filesize
506B

MD5
b4ff06c3e44427c37785e67e9fd19cf0

SHA1
667092c78fa48526b291d64ebb2082abb0612475

SHA256
7f94538719ce57f47be488aa70ff857a052c916aa88de80bf5cc8aa3359ae300

SHA512
fb0ef7447a0e416790e5fe3bc791e4538f760b56b8b015c4d86b98ee03145224f6302219769800dbdf3dc4dd0fe9ad1f81faacbeb0a10209d9f71d9263a695f2

Download Submit
C:\Users\Admin\AppData\Local\9b9ee9dd04458a34fd24efcc9cbe5a28\Admin@CCJBVTGQ_en-US\Directories\Downloads.txt

Filesize
700B

MD5
1c0b8b017d2b285dd86fb836c13441fa

SHA1
5158d1b5d5a75ce647a38f7834c7941637bb9457

SHA256
22b367a5a566a5921e04b0e1c2075acd8a44129aa211e8233ca9ec2fe4153818

SHA512
dd8cf576c11ed0448ad9c9b697d0c7f77eb2b66fbc7d8fbe5f763e124da3208853a5908357e88e3e983f3f30ee97a640ca353facda644876e6385f44b7d7a952

Download Submit
C:\Users\Admin\AppData\Local\9b9ee9dd04458a34fd24efcc9cbe5a28\Admin@CCJBVTGQ_en-US\Directories\Pictures.txt

Filesize
585B

MD5
ed4d749cedfc16af53836cd64a977725

SHA1
9b6325d42dacc2d91834118a75cfc78dec0f9108

SHA256
71d95337494cf012ef35e913a52f178a4d91e6d80c32b5a4129a9c52b14be432

SHA512
cdc72104d562162c00077fa69a58c2b3036de55ebf103ce124160f18d2be525064b4c605fe74aa9f8f200660b1ab0662883af95f15240f546fbac9964ccff737

Download Submit
C:\Users\Admin\AppData\Local\9b9ee9dd04458a34fd24efcc9cbe5a28\Admin@CCJBVTGQ_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVER BOT.EXE

Filesize
558KB

MD5
1c8096305a5e96aafad54356e63a5d09

SHA1
757b9748b708b5ad0b45f05e22fe5cb87acc8318

SHA256
12981fcff8fae053977c4e0d18ee8033996bce16702008c5ba57498bbd35ac79

SHA512
88ad12fae3b91124361ec20a9f3138f082c670acaf365e3da2ff11f4252d05e5b26f09f05d55cc684855ceca304d526fa67f16130f85c1f42638d2136dd9cd38

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

Filesize
232KB

MD5
60e907c5d3c0aa96e45b8db5d2a2ca80

SHA1
2e23304cf254c39bbfae227a6c7dde34eedbbc3c

SHA256
4e61c25d6ef620a0b4c800091860cdc38928f2ec75e2097700d4d94cc0f87265

SHA512
1ea98aadd284ce7222c488ca32f69eb422532d5682e17453b199b5dcec9318da7bfe6667bc87bff46460881e39ab28d254d6675eb0dd9c06f22a02c5bf204fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE

Filesize
232KB

MD5
ca7eb340866d2ad3ecab4a3c862e3ebd

SHA1
d2d0f3c1a8308ea75f799b013655b76413cfb853

SHA256
b4369bfaad90ac4bb613c40ffc1aba17d48f40264dcaaefbfe6b65930cac951d

SHA512
69d4b6c3a7bbb93f1d6e49840da769d9233af251e66cdbd6da0ce5ce302db498711cd35a799ff8f4899dd0b5d5ca16affe412a21e07dfa276fdb292cfe169531

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp89DD.tmp.dat

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp89E0.tmp.dat

Filesize
92KB

MD5
102841a614a648b375e94e751611b38f

SHA1
1368e0d6d73fa3cee946bdbf474f577afffe2a43

SHA256
c82ee2a0dc2518cb1771e07ce4b91f5ef763dd3dd006819aece867e82a139264

SHA512
ca18a888dca452c6b08ad9f14b4936eb9223346c45c96629c3ee4dd6742e947b6825662b42e793135e205af77ad35e6765ac6a2b42cefed94781b3463a811f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A99.tmp.dat

Filesize
5.0MB

MD5
c5ec8e3a3ac8a0b4def250704fadbe97

SHA1
0673f991bef6c568e04e37ae93567ab6369b8b46

SHA256
d72959f1ac7ba38109198851384bac6b086b0b4d859334719d8898b81ce4ca70

SHA512
2094ed53e365418bfc58ea71947280e71f712a20a28c1f49c44b3128032796a3066323a717dc74e4240fd03187c007660b285a5a300d5603d68ae61847e562d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8C49.tmp.dat

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8C6C.tmp.dat

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Directories\Desktop.txt

Filesize
525B

MD5
3e816e44bf1c5722fdbbb98cff8a34a0

SHA1
b1ef32a3b5b07814c66ce87b14fb22f4b9e23d2e

SHA256
b40c0fd6aedfbb42a2be72701c0e3649b7a53159039a03b97ceab52163426cae

SHA512
8bac7a487ce180a0ad6b5b2c9d9dcc589c81cb0002fbc860ac50bfe147ed62fe5866ce1cbce9d46bd00859787251024cbf215f7d953200a9fa440a497c6d78d2

Download Submit
C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Directories\Temp.txt

Filesize
4KB

MD5
835533e029eff5d091d7967b5a597a64

SHA1
2fa8a13c1cc0125b0344b00ba43656c8d189ec8c

SHA256
1b9221570acc472b5126e42549ada4b3630b98225766b42e5c75480e6720c3ea

SHA512
9f3159eac9a386e989a09efcd3018ebfb878fd8173acffab97afe0954c3513dd457c2dce182778a10c762793c8a4a498b626ff4aac4b803c5498b9bb63bce5c2

Download Submit
C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
872B

MD5
9d1223ef9147eb3418d722a27bed4933

SHA1
5069d20239e37a72168a0398263fc32b5809c6a2

SHA256
090d0d4af42c483e2523a8cfd9059da9201e48c49c8ed4faff374c3518718d4a

SHA512
0a41af4651dfb5734ed7ed3546be83bae94c2cdbdaae245154bdcfa7e0ce9e6c33e7d0bba0695051c4a42c99a2c6527b87dbc6c9f47b0e88972478c351af84bd

Download Submit
C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
436B

MD5
0a361c8884532036e34b96304f669e85

SHA1
34366c09334c8fa0c9b4a8fd4b0069fe51eff12f

SHA256
6d89f24d4866d70cff63c7f039d11659da7dcf772833ad40472d94c7a30bfbb2

SHA512
6f93e7cca80935531e2e75d3e43a82a20d65d6a12bd09ebd48436aca5918504732717ab902fbccf116f09f2dfea8ec8da2f3533e22b42e10a39b0fedb3cfee87

Download Submit
C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
654B

MD5
edc773e7d671d8e2b54c7cdf6941cb22

SHA1
bc9b74fee031f21f9a22ae3adc28a6036b7f80ab

SHA256
ac8f102b342964bea34b6aa05b95f7d5e4c1e418fab6bcf9b678c8963f7107a6

SHA512
806ec68008158fb6f61a18dc339e78657c0aa169beaa7bf15b1f657d5e62f70bef76aec52dac120dc5b4e9a637873f3c6f8edd870b426e6c5166b4d89305c5cd

Download Submit
C:\Users\Admin\AppData\Local\d2a705d62e0ea7e9741c3061b549ff86\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
1KB

MD5
39645192be18f943bd691a9b2953954a

SHA1
cd6da0c27c0dac513e304057566c33561d1f042d

SHA256
4e214ddf5d48fbdcea1f7b88755e3dea0a7cced91d6ad2aa7d6e00f5de7d52af

SHA512
66261c18f02a7e06778d643e4d9a1976a794f63e28d9ffe1311a2f32bfe8b9a241b7d5e4280ced1579e4f891f5860fafe37d51206f3f6087955bddfa046b4b82

Download Submit
C:\Users\Admin\AppData\Local\d2da26d3a70a87d27609e98d3e0aea54\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
675B

MD5
1377becb8fa0a9466375e55b1b02cd7c

SHA1
66570135d9f9ca113690338c66942240a3efd21f

SHA256
b4cb9fbc8c589318a60d139c17f6d0eac14dce1da055877b5bc5c16e243e5848

SHA512
3c1040e376ea13f2b4b199040ca0880ca480ebaec338d544a7b6181fa138b6afc610961f223fc04a030ea551edf20b8b68ec26c01095f87a9e1b31134e91a181

Download Submit
C:\Users\Admin\AppData\Local\d2da26d3a70a87d27609e98d3e0aea54\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
2KB

MD5
18f19e7c111f83810ac07fd118cdfec4

SHA1
0414afdb6806d4c1e2a6863f8a45a8a415b04494

SHA256
78c1af0834d4aa9032d7844a2d23e1e45b56b0b28d1f2a15f056c23a0725ef30

SHA512
7931800a4b38aab69866cd02907916f862aad3b6a1c6d808fdb8ac025a9cbef74eb243a43d5eba2c8a778987b823df166863ff1562717d0c45d7c9210ad9eb7e

Download Submit
C:\Users\Admin\AppData\Local\d2da26d3a70a87d27609e98d3e0aea54\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
b81a289752261ebca93f177945e22b5d

SHA1
5a3c38265ad62435e26f1967ee0997a2a9495683

SHA256
536e01aab23fa93d38328d8bab63ca6826bb7f260a75c5cadf5465c4c361900d

SHA512
6915bd3f583f2ac0b47daf9aab9308a19b4fdffce48c1ea61872313cf5478251944fc98cfade69ee3c042552c88320b31ec837abd4dd68886779e8d8b7c2ceab

Download Submit
C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
2KB

MD5
56fd00a394df186adfe21428fa2777a5

SHA1
efec64c23d154a720d5e77cc6dd431bed6d41e74

SHA256
5a0b31f21aee00e2ed11fdfa44fa2196566f1a068ffeba2e5969fe279023e7ea

SHA512
1ea7de8f6609b23ef420ea8afd9fe15caee889249ab2a84d8db4449ccb9cb003cb7737aba64cbf9be6ef15411c9f304fd2f1f5d85516c747dc5e8c86fd08ccfa

Download Submit
C:\Users\Admin\AppData\Local\e01fa2b916e0e1663bda90e6b57169e8\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
2KB

MD5
6bb1690a57792fa87c6853948bc058c9

SHA1
b0d5a475bf974682a46bbbb5a1d23c8f4ad22d1c

SHA256
31d156ad0c2f3fc34fc27c28a6fd234be65a4fa5f00be9fcedb4efe0332da640

SHA512
cd1010c36e02be1586baedd777c15a67dc66a7ff60847a4b8926ed8d9c947a395d8ea1d54a540c3fb79de8e42d7a96a2f932476c52f1b81baebe1d993380305e

Download Submit
C:\Users\Admin\AppData\Local\f140b89e9fb8ecd5f8532e5151139f55\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
2KB

MD5
3d3cb5fb35671779915b35b732f0926e

SHA1
651ab21e176f4c865c27895957685ba2f4b55792

SHA256
50c093f90cae6ff0080e84b7b848b9ba2b00983e3c515c766510d8df19cad3aa

SHA512
08710649dea6a2c8ee2c893e534c1aec47f92f0ca7ca1d9b8892aae531061c8b51cd6fbda16309e1df563bbba4b2ff972b5bacf0c9b38b48411f9548e063d4a8

Download Submit
C:\Users\Admin\AppData\Local\f140b89e9fb8ecd5f8532e5151139f55\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
2KB

MD5
041d6fdae3eef97a468a4d879451d22e

SHA1
0e4b20bc4a325bdd14dc0efb61fc771f4eade999

SHA256
a155006280f8b3be8f552b6eeca972125c45a9de952ae42472424bbefdb42504

SHA512
0e7fa82e5a540b6e7b035b1b40e2782df856a706d06852fd5cca27f8b76c646cc1956571fcedfb7303fb95ee5ed61c53fd9ed2850c8baa933f1394df8894c6fa

Download Submit
C:\Users\Admin\AppData\Local\f140b89e9fb8ecd5f8532e5151139f55\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
4KB

MD5
a5a17676ec0460024329e4c1240481c7

SHA1
191039f4a029941eb4142f5461119311c2d9de7f

SHA256
6c0af3e206c4b409b79925ff6724337824fde3c9793319263a223a2eeab43d05

SHA512
f4ba2169cff092da50e8c81152e5b5a4ca835c5cbfe928383f4c15a6236735a9b74c4834996239c20ea0d6c456364a69ac42c6697d54c1b5e49b846339d9dfc0

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Local\fa1a32e2b7bf99206cb5ee201df5c35f\Admin@CCJBVTGQ_en-US\System\Process.txt

Filesize
2KB

MD5
85c2d73eec2b2c8880e5eff6b3a350b9

SHA1
5a11840a432f609c6592a46de6385dd4ab67861c

SHA256
e3bba14e60e1732f6e10b119a9675d9dc1ead08133a9dddbd56c02f10f85c39b

SHA512
d8d396404680aaee541abab8dc8250262cd1abca0dc75904724bcaaeb0efc24355df922c60703c05d2bc3e5260844dbd470c58c3ddc1519d5bfbf2225277a8fa

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
bbbf9a9a8a9bb5c0308479ddd4cc6d17

SHA1
b58b87a86105a8c0831b70c6880ae068efbc9ea1

SHA256
536d7b222c62f38e16ac88da98a0b819791d978b251d06ecf1997c52b3a73734

SHA512
18bf3748a8542af82d863028d34368c9cf3cecf955265dacf18d06354e4aa45955186abb09ba0cbc770690c21cd76359fbaad81325340d1762351056658b7b67

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
35fbfcca51ec145abb3a3c5fb69d9c23

SHA1
619443ee97b93e4a589985d8228452ae9359db79

SHA256
a4b402e8fefe40e63ab6f84d2a23b5704b4693db49950d1d56de15e9ae7081d7

SHA512
38a1af678be5fc4acefa43fe535c1e11b098d8fa6d7d98277d43c39c59482b89f3688d466685c1d08ecda99fee1eba35dd68524e123402021caada676e69edcc

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
757eba23195094c51e306aec3026078a

SHA1
069ec19891cbc2cae9caf48581a8c3b32692fb84

SHA256
59c0b510a50b30de1a2ef741c0c78a672af80af45f4eda48fb86704b9fbc9ff2

SHA512
88cd79f11ae60f84b86d5a17d2f9036f53d90f08617a2e816b2b2e6ac0ab6da9c42ebb87038790b36a574811fc826c43942de55fa2bd7a4f0f0b620fc167cc2b

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
c5a564400b816f50669b7169ad4be977

SHA1
6f41b4a8537ae77d9ba2097fca18d4adf8fd3656

SHA256
5ea2c647ebea1ace66d02779c2d7bc6756ca0560a805ed8e2e1fb0f64b28532c

SHA512
0747972526ef4b3aabda5ccaaa1bc3374ded6a8bd67ed2e29771895e7292c23d08ad9651a02c340919ea9b59e89c74cb94aa37be56bdd93b8d3c3e6b2b3460cb

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
79765fbdcf92b3b4e0f30e70407daf9f

SHA1
1286cbd1d2f19a13d048af38badc35ae5265f125

SHA256
bfcb3579340d6ee21e721c2f66f904e9943c8a72e3594d2055cf80a98839f4fa

SHA512
946b5a80a7fbf5ac018aa73eb4ea71166886064fefd7422334c3fda79a3c4dc09149f2e73cae6b0c5b4f261d487d1019f1350e4d4384850c990b376b0bb08f92

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\SERVER BOT.EXE

Filesize
518KB

MD5
5f043e0db920bdb7fcc024640bffa889

SHA1
5035514399e0a202c8d1f2b13730e939c6be0aba

SHA256
ea024dfb7ea4a70c6b6387a04c23d4c0bfe52c69ca5c493c5391de29ff07d1c2

SHA512
97eb910998c59219030c6f8214549ce0a7ba4a6fcdb47e08f2f00ab87c6c039f6634f59ec7167272c16a656bd317dc58c3b05e608166e233a6ce76404bbb21d7

Download Submit
memory/236-601-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/276-88-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/444-507-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/540-150-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/576-98-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/588-168-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/592-566-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/760-222-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/884-407-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/884-558-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/892-278-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/892-594-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/984-127-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1048-211-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1132-169-0x0000000000140000-0x0000000000180000-memory.dmp

Filesize
256KB

Download
memory/1148-146-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1264-193-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1292-186-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1320-248-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1500-343-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1500-487-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1536-384-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1580-564-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1580-460-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1728-185-0x0000000000960000-0x00000000009A0000-memory.dmp

Filesize
256KB

Download
memory/1764-514-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1816-220-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1940-341-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1944-489-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1952-508-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1964-567-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1980-249-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1996-557-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2036-383-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2044-314-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2100-342-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2120-490-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2172-459-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2180-359-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2272-194-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2364-398-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2560-416-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2568-538-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2580-427-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2580-299-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2584-302-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2588-97-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2616-539-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2708-434-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2720-195-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2744-382-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2756-530-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2764-151-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2780-603-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2792-481-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2792-294-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2820-303-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2868-428-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2876-629-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2916-417-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2924-537-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2924-602-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2952-219-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2988-536-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3000-545-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3060-578-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads