asyncrat | b3168e2d3722135e86a89e98cf1a4818ecc6ba49617ab918651b1fc73cc7aa2c

Analysis

max time kernel
4s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2024, 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Numify v3-Cracked by SpArtOr.exe
Size

1.7MB
MD5

9367e0761d4373058b2393bfef4d6152
SHA1

9dafb96154407397032cc33e1bdc48386b382651
SHA256

b3168e2d3722135e86a89e98cf1a4818ecc6ba49617ab918651b1fc73cc7aa2c
SHA512

a356778004fa607ef38085fb56263bf018f8382e20eef0451f0029dd7bea0d81604e0b575696c89e27f4d6ca04c94a54d028d8979f59cd67caae64b08c4c5172
SSDEEP

12288:M4eMCTWwx/bV8vrzRVRR+4jVPv8SO13uo9RyAA2omknabab8pdHbaZ3VzCOG+40:MLZ8vrzRVRRFjJv8SO1KAA2omNDUGY

Score

10^/10

asyncrat neshta stormkitty default discovery persistence rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7316545556:AAF208f6iXcWmgOCUF1bXhUor4UkYtN8few/sendMessage?chat_id=7386785734

https://api.telegram.org/bot7423164379:AAFflVsuq0BrKEG_Lh8KPIRPN6rHeW4a7oo/sendMessage?chat_id=7472532856

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Neshta payload 64 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b6d-4.dat	family_neshta
behavioral2/files/0x0008000000023c12-22.dat	family_neshta
behavioral2/memory/1620-80-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3964-98-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1340-128-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5000-127-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3764-118-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1980-129-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4324-99-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1976-79-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3296-131-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4872-130-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000400000002038b-147.dat	family_neshta
behavioral2/files/0x00010000000202dc-157.dat	family_neshta
behavioral2/memory/4552-196-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2540-195-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1472-212-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0002000000020355-209.dat	family_neshta
behavioral2/memory/3488-221-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2316-241-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/624-198-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2900-197-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2880-278-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2668-281-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4084-301-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2000-319-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3896-320-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4872-326-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4276-280-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0006000000020275-180.dat	family_neshta
behavioral2/files/0x000100000002026d-156.dat	family_neshta
behavioral2/files/0x000400000002037d-154.dat	family_neshta
behavioral2/files/0x000600000002025a-153.dat	family_neshta
behavioral2/files/0x0006000000020266-152.dat	family_neshta
behavioral2/files/0x000600000002025e-151.dat	family_neshta
behavioral2/files/0x00070000000202c6-150.dat	family_neshta
behavioral2/memory/3532-329-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3644-145-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4036-330-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4280-331-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4384-337-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2740-349-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/404-360-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1724-361-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4896-362-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1904-379-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2744-373-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/684-391-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3260-392-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2372-393-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4056-400-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1972-399-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4004-408-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5000-407-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2568-419-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2136-430-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4992-431-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1916-437-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2744-445-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3192-439-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3212-456-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1116-457-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4808-460-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4968-459-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 6 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b6d-4.dat	family_stormkitty
behavioral2/files/0x0008000000023be1-12.dat	family_stormkitty
behavioral2/files/0x0008000000023c13-38.dat	family_stormkitty
behavioral2/files/0x0008000000023c14-56.dat	family_stormkitty
behavioral2/memory/2888-82-0x0000000000AF0000-0x0000000000B30000-memory.dmp	family_stormkitty
behavioral2/memory/4640-78-0x00000000000D0000-0x0000000000110000-memory.dmp	family_stormkitty

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000023c13-38.dat	family_asyncrat
behavioral2/files/0x0008000000023c14-56.dat	family_asyncrat

Checks computer location settings 2 TTPs 21 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	Numify v3-Cracked by SpArtOr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	NUMIFY V3-CRACKED BY SPARTOR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	NUMIFY~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	SERVER~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	SERVER~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	SERVER~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	SERVER BOT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	SERVER~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	NUMIFY~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	SERVER~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	NUMIFY~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	SERVER BOT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	NUMIFY~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	SERVER~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	SERVER~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	NUMIFY V3-CRACKED BY SPARTOR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	SERVER BOT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	SERVER~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	SERVER~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	NUMIFY~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	SERVER~1.EXE

Executes dropped EXE 50 IoCs

pid	Process
4968	SERVER BOT.EXE
4808	SERVER BOT.EXE
2588	SERVER BOT.EXE
1976	svchost.com
1620	svchost.com
3964	SERVER~1.EXE
4324	svchost.com
3764	svchost.com
5000	svchost.com
4640	SVCHOST.EXE
4192	SERVER~1.EXE
2888	SYSTEM.EXE
3296	svchost.com
4872	svchost.com
3852	SERVER~1.EXE
3644	svchost.com
1340	svchost.com
3980	SVCHOST.EXE
1980	svchost.com
2540	SERVER~1.EXE
1908	SYSTEM.EXE
2900	svchost.com
4552	svchost.com
1472	svchost.com
624	svchost.com
420	SVCHOST.EXE
3488	SERVER~1.EXE
3084	SYSTEM.EXE
2316	svchost.com
452	SERVER~1.EXE
4276	svchost.com
2880	svchost.com
4084	svchost.com
908	SERVER~1.EXE
3896	SERVER~1.EXE
2668	svchost.com
3268	SVCHOST.EXE
2000	svchost.com
3508	SYSTEM.EXE
4872	svchost.com
2732	SVCHOST.EXE
4036	svchost.com
3532	svchost.com
2168	SYSTEM.EXE
4384	svchost.com
4280	svchost.com
2740	SERVER~1.EXE
3116	SERVER~1.EXE
1724	svchost.com
404	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	SERVER BOT.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.19\MIA062~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13195~1.19\MICROS~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.19\MICROS~2.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.19\MI9C33~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.19\MICROS~3.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	SERVER BOT.EXE
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	SERVER BOT.EXE

Drops file in Windows directory 62 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	SERVER~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	SERVER~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	SERVER~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	SERVER BOT.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	SERVER BOT.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	SERVER BOT.EXE
File opened for modification	C:\Windows\directx.sys	SERVER~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	SERVER~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	SERVER~1.EXE
File opened for modification	C:\Windows\directx.sys	SERVER~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	SERVER~1.EXE
File opened for modification	C:\Windows\directx.sys	SERVER~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	SERVER~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
4464	324	WerFault.exe	173
7108	3980	WerFault.exe	108
6112	5000	WerFault.exe	181
6232	420	WerFault.exe	117
12572	656	Process not Found	1159
12704	10792	Process not Found	1005
13232	13192	Process not Found	1155
12976	8692	Process not Found	792
7948	10068	Process not Found	864
12272	8528	Process not Found	829
13252	7448	Process not Found	709
13964	12052	Process not Found	1034
9932	9152	Process not Found	821
10960	10288	Process not Found	952

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NUMIFY~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER BOT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NUMIFY~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER BOT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SYSTEM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SYSTEM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NUMIFY~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NUMIFY~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NUMIFY V3-CRACKED BY SPARTOR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SYSTEM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER BOT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SYSTEM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SYSTEM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NUMIFY~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NUMIFY~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Numify v3-Cracked by SpArtOr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NUMIFY V3-CRACKED BY SPARTOR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 45 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
12688	Process not Found
13716	Process not Found
6844	cmd.exe
5600	netsh.exe
14016	Process not Found
5724	Process not Found
13380	Process not Found
4840	netsh.exe
13156	Process not Found
5076	netsh.exe
7236	cmd.exe
9096	cmd.exe
10220	netsh.exe
12908	Process not Found
7204	Process not Found
6324	cmd.exe
6340	cmd.exe
14220	Process not Found
10740	Process not Found
1372	Process not Found
8632	Process not Found
864	netsh.exe
8172	netsh.exe
10924	Process not Found
5256	Process not Found
5928	netsh.exe
10164	netsh.exe
2860	cmd.exe
5728	netsh.exe
4124	netsh.exe
6828	netsh.exe
5764	cmd.exe
11216	Process not Found
5900	cmd.exe
6236	cmd.exe
7192	netsh.exe
9184	cmd.exe
1148	Process not Found
14080	Process not Found
6968	cmd.exe
1984	cmd.exe
13724	Process not Found
8940	Process not Found
5932	netsh.exe
6480	cmd.exe

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	SERVER BOT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	NUMIFY~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	NUMIFY~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	SERVER~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	SERVER BOT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	SERVER~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	SERVER~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	SERVER~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	SERVER~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	NUMIFY V3-CRACKED BY SPARTOR.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	SERVER~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	SERVER~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	NUMIFY~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	NUMIFY~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	SERVER~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	SERVER BOT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	SERVER~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	NUMIFY~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	SERVER~1.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
11512	Process not Found
13448	Process not Found
14120	Process not Found
4404	Process not Found
9204	Process not Found
13464	Process not Found
14308	Process not Found
12156	Process not Found
14096	Process not Found
11064	Process not Found
12468	Process not Found
13508	Process not Found
14244	Process not Found
14024	Process not Found
13572	Process not Found
13656	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 452	2020	Numify v3-Cracked by SpArtOr.exe	121
PID 2020 wrote to memory of 452	2020	Numify v3-Cracked by SpArtOr.exe	121
PID 2020 wrote to memory of 452	2020	Numify v3-Cracked by SpArtOr.exe	121
PID 2020 wrote to memory of 4968	2020	Numify v3-Cracked by SpArtOr.exe	87
PID 2020 wrote to memory of 4968	2020	Numify v3-Cracked by SpArtOr.exe	87
PID 2020 wrote to memory of 4968	2020	Numify v3-Cracked by SpArtOr.exe	87
PID 452 wrote to memory of 4452	452	NUMIFY V3-CRACKED BY SPARTOR.EXE	88
PID 452 wrote to memory of 4452	452	NUMIFY V3-CRACKED BY SPARTOR.EXE	88
PID 452 wrote to memory of 4452	452	NUMIFY V3-CRACKED BY SPARTOR.EXE	88
PID 452 wrote to memory of 4808	452	NUMIFY V3-CRACKED BY SPARTOR.EXE	89
PID 452 wrote to memory of 4808	452	NUMIFY V3-CRACKED BY SPARTOR.EXE	89
PID 452 wrote to memory of 4808	452	NUMIFY V3-CRACKED BY SPARTOR.EXE	89
PID 4968 wrote to memory of 2588	4968	SERVER BOT.EXE	90
PID 4968 wrote to memory of 2588	4968	SERVER BOT.EXE	90
PID 4968 wrote to memory of 2588	4968	SERVER BOT.EXE	90
PID 4452 wrote to memory of 1976	4452	NUMIFY V3-CRACKED BY SPARTOR.EXE	244
PID 4452 wrote to memory of 1976	4452	NUMIFY V3-CRACKED BY SPARTOR.EXE	244
PID 4452 wrote to memory of 1976	4452	NUMIFY V3-CRACKED BY SPARTOR.EXE	244
PID 1976 wrote to memory of 3268	1976	svchost.com	129
PID 1976 wrote to memory of 3268	1976	svchost.com	129
PID 1976 wrote to memory of 3268	1976	svchost.com	129
PID 4452 wrote to memory of 1620	4452	NUMIFY V3-CRACKED BY SPARTOR.EXE	148
PID 4452 wrote to memory of 1620	4452	NUMIFY V3-CRACKED BY SPARTOR.EXE	148
PID 4452 wrote to memory of 1620	4452	NUMIFY V3-CRACKED BY SPARTOR.EXE	148
PID 1620 wrote to memory of 3964	1620	svchost.com	94
PID 1620 wrote to memory of 3964	1620	svchost.com	94
PID 1620 wrote to memory of 3964	1620	svchost.com	94
PID 4808 wrote to memory of 4324	4808	SERVER BOT.EXE	95
PID 4808 wrote to memory of 4324	4808	SERVER BOT.EXE	95
PID 4808 wrote to memory of 4324	4808	SERVER BOT.EXE	95
PID 2588 wrote to memory of 3764	2588	SERVER BOT.EXE	96
PID 2588 wrote to memory of 3764	2588	SERVER BOT.EXE	96
PID 2588 wrote to memory of 3764	2588	SERVER BOT.EXE	96
PID 3764 wrote to memory of 4640	3764	svchost.com	99
PID 3764 wrote to memory of 4640	3764	svchost.com	99
PID 3764 wrote to memory of 4640	3764	svchost.com	99
PID 4324 wrote to memory of 4192	4324	svchost.com	97
PID 4324 wrote to memory of 4192	4324	svchost.com	97
PID 4324 wrote to memory of 4192	4324	svchost.com	97
PID 2588 wrote to memory of 5000	2588	SERVER BOT.EXE	181
PID 2588 wrote to memory of 5000	2588	SERVER BOT.EXE	181
PID 2588 wrote to memory of 5000	2588	SERVER BOT.EXE	181
PID 5000 wrote to memory of 2888	5000	svchost.com	100
PID 5000 wrote to memory of 2888	5000	svchost.com	100
PID 5000 wrote to memory of 2888	5000	svchost.com	100
PID 3964 wrote to memory of 3296	3964	SERVER~1.EXE	210
PID 3964 wrote to memory of 3296	3964	SERVER~1.EXE	210
PID 3964 wrote to memory of 3296	3964	SERVER~1.EXE	210
PID 3268 wrote to memory of 4872	3268	NUMIFY~1.EXE	278
PID 3268 wrote to memory of 4872	3268	NUMIFY~1.EXE	278
PID 3268 wrote to memory of 4872	3268	NUMIFY~1.EXE	278
PID 4872 wrote to memory of 2188	4872	svchost.com	104
PID 4872 wrote to memory of 2188	4872	svchost.com	104
PID 4872 wrote to memory of 2188	4872	svchost.com	104
PID 3296 wrote to memory of 3852	3296	svchost.com	103
PID 3296 wrote to memory of 3852	3296	svchost.com	103
PID 3296 wrote to memory of 3852	3296	svchost.com	103
PID 3268 wrote to memory of 3644	3268	NUMIFY~1.EXE	192
PID 3268 wrote to memory of 3644	3268	NUMIFY~1.EXE	192
PID 3268 wrote to memory of 3644	3268	NUMIFY~1.EXE	192
PID 4192 wrote to memory of 1340	4192	SERVER~1.EXE	297
PID 4192 wrote to memory of 1340	4192	SERVER~1.EXE	297
PID 4192 wrote to memory of 1340	4192	SERVER~1.EXE	297
PID 1340 wrote to memory of 3980	1340	svchost.com	108

C:\Users\Admin\AppData\Local\Temp\Numify v3-Cracked by SpArtOr.exe
"C:\Users\Admin\AppData\Local\Temp\Numify v3-Cracked by SpArtOr.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\NUMIFY V3-CRACKED BY SPARTOR.EXE
  "C:\Users\Admin\AppData\Local\Temp\NUMIFY V3-CRACKED BY SPARTOR.EXE"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Users\Admin\AppData\Local\Temp\NUMIFY V3-CRACKED BY SPARTOR.EXE
    "C:\Users\Admin\AppData\Local\Temp\NUMIFY V3-CRACKED BY SPARTOR.EXE"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3268
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        9⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        11⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        13⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:324
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        16⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        17⤵
        
        PID:964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        18⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        19⤵
        
        PID:4856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        20⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        21⤵
        
        PID:3428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        22⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        23⤵
        
        PID:552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        24⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        25⤵
        
        PID:4132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        26⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        27⤵
        
        PID:1184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        28⤵
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        29⤵
        
        PID:5208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        30⤵
        
        PID:5356
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        31⤵
        
        PID:5384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        32⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        33⤵
        
        PID:5592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        34⤵
        
        PID:5724
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        35⤵
        
        PID:5744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        36⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        37⤵
        
        PID:5900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        38⤵
        
        PID:6008
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        39⤵
        
        PID:6036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        40⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        41⤵
        
        PID:1164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        42⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        43⤵
        
        PID:3116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        44⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        45⤵
        
        PID:5236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        46⤵
        
        PID:5424
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        47⤵
        
        PID:5564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        48⤵
        
        PID:5616
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        49⤵
        
        PID:5600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        50⤵
        
        PID:5788
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        51⤵
        
        PID:5780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        52⤵
        
        PID:5896
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        53⤵
        
        PID:5964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        54⤵
        
        PID:6108
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        55⤵
        
        PID:6140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        56⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        57⤵
        
        PID:2372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        58⤵
        
        PID:5216
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        59⤵
        
        PID:5316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        60⤵
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        61⤵
        
        PID:5148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        62⤵
        
        PID:5200
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        63⤵
        
        PID:1340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        64⤵
        
        PID:5736
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        65⤵
        
        PID:5168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        66⤵
        
        PID:5892
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        67⤵
        
        PID:5804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        68⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        69⤵
        
        PID:6000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        70⤵
        
        PID:6040
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        71⤵
        
        PID:6044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        72⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        73⤵
        
        PID:4768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        74⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        75⤵
        
        PID:5372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        76⤵
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        77⤵
        
        PID:5468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        78⤵
        
        PID:5608
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        79⤵
        
        PID:5348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        80⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        81⤵
        
        PID:2736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        82⤵
        
        PID:5772
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        83⤵
        
        PID:5776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        84⤵
        
        PID:5984
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        85⤵
        
        PID:5944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        86⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        87⤵
        
        PID:5212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        88⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        89⤵
        
        PID:5244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        90⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        91⤵
        
        PID:5224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        92⤵
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        93⤵
        
        PID:1156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        94⤵
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        95⤵
        
        PID:5520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        96⤵
        
        PID:5612
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        97⤵
        
        PID:6416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        98⤵
        
        PID:6720
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        99⤵
        
        PID:5876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        100⤵
        
        PID:7068
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        101⤵
        
        PID:5580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        102⤵
        
        PID:6052
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        103⤵
        
        PID:6588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        104⤵
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        105⤵
        
        PID:6480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        106⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        107⤵
        
        PID:5944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        108⤵
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        109⤵
        
        PID:5272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        110⤵
        
        PID:6564
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        111⤵
        
        PID:6372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        112⤵
        
        PID:6444
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        113⤵
        
        PID:7144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        114⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        115⤵
        
        PID:7036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        116⤵
        
        PID:5344
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        117⤵
        
        PID:7032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        118⤵
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        119⤵
        
        PID:5552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        120⤵
        
        PID:6992
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        121⤵
        
        PID:6784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        122⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        123⤵
        
        PID:5320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        124⤵
        
        PID:7532
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        125⤵
        
        PID:7612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        126⤵
        
        PID:7944
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        127⤵
        
        PID:8024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        128⤵
        
        PID:7216
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        129⤵
        
        PID:7264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        130⤵
        
        PID:7200
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        131⤵
        
        PID:5816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        132⤵
        
        PID:8068
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        133⤵
        
        PID:7788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        134⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        135⤵
        
        PID:6512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        136⤵
        
        PID:7524
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        137⤵
        
        PID:4912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        138⤵
        
        PID:7836
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        139⤵
        
        PID:8028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        140⤵
        
        PID:7736
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        141⤵
        
        PID:7572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        142⤵
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        143⤵
        
        PID:4764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        144⤵
        
        PID:6836
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        145⤵
        
        PID:3976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        146⤵
        
        PID:8164
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        147⤵
        
        PID:3288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        148⤵
        
        PID:6888
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        149⤵
        
        PID:2268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        150⤵
        
        PID:7840
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        151⤵
        
        PID:6452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        152⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        153⤵
        
        PID:5512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        154⤵
        
        PID:6536
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        155⤵
        
        PID:8172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        156⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        157⤵
        
        PID:5068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        158⤵
        
        PID:8412
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        159⤵
        
        PID:8492
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        160⤵
        
        PID:8848
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        161⤵
        
        PID:8900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        162⤵
        
        PID:8476
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        163⤵
        
        PID:8528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        164⤵
        
        PID:8220
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        165⤵
        
        PID:8432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        166⤵
        
        PID:9160
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        167⤵
        
        PID:9132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        168⤵
        
        PID:8500
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        169⤵
        
        PID:4212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        170⤵
        
        PID:8612
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        171⤵
        
        PID:8800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        172⤵
        
        PID:9512
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        173⤵
        
        PID:9552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        174⤵
        
        PID:9800
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        175⤵
        
        PID:9840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        176⤵
        
        PID:9344
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        177⤵
        
        PID:9380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        178⤵
        
        PID:9624
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        179⤵
        
        PID:9936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        180⤵
        
        PID:8244
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        181⤵
        
        PID:7596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        182⤵
        
        PID:9712
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        183⤵
        
        PID:9828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        184⤵
        
        PID:8516
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        185⤵
        
        PID:9960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        186⤵
        
        PID:9996
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        187⤵
        
        PID:9824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        188⤵
        
        PID:5716
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        189⤵
        
        PID:9368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        190⤵
        
        PID:10580
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        191⤵
        
        PID:10628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        192⤵
        
        PID:10924
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        193⤵
        
        PID:10980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        194⤵
        
        PID:9908
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        195⤵
        
        PID:10028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        196⤵
        
        PID:11204
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        197⤵
        
        PID:11256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        198⤵
        
        PID:9888
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        199⤵
        
        PID:10800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        200⤵
        
        PID:11248
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        201⤵
        
        PID:10364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        202⤵
        
        PID:10256
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        203⤵
        
        PID:10956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        204⤵
        
        PID:8400
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        205⤵
        
        PID:10416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        206⤵
        
        PID:11176
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        207⤵
        
        PID:4212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        208⤵
        
        PID:9284
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        209⤵
        
        PID:10952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        210⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        211⤵
        
        PID:10028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        212⤵
        
        PID:11356
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        213⤵
        
        PID:11460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        214⤵
        
        PID:11968
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        215⤵
        
        PID:12016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        216⤵
        
        PID:5304
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        217⤵
        
        PID:11272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        218⤵
        
        PID:12128
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        219⤵
        
        PID:12108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        220⤵
        
        PID:12232
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        221⤵
        
        PID:12152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        222⤵
        
        PID:11728
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        223⤵
        
        PID:11356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        224⤵
        
        PID:10840
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        225⤵
        
        PID:10572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        226⤵
        
        PID:12060
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        227⤵
        
        PID:11752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        228⤵
        
        PID:11416
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        229⤵
        
        PID:8520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        230⤵
        
        PID:9740
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        231⤵
        
        PID:6704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        232⤵
        
        PID:11512
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        233⤵
        
        PID:5892
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        234⤵
        
        PID:11596
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        235⤵
        
        PID:6184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        236⤵
        
        PID:12648
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        237⤵
        
        PID:12700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        238⤵
        
        PID:12844
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        239⤵
        
        PID:12808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE"
        240⤵
        
        PID:12720
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\NUMIFY~1.EXE
        241⤵
        
        PID:12924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        240⤵
        
        PID:12948
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        241⤵
        
        PID:12796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        238⤵
        
        PID:12432
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        239⤵
        
        PID:10832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        240⤵
        
        PID:13212
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        241⤵
        
        PID:12448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        240⤵
        
        PID:12364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        236⤵
        
        PID:12904
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        237⤵
        
        PID:6368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        238⤵
        
        PID:5144
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        239⤵
        
        PID:7064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        238⤵
        
        PID:9700
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        239⤵
        
        PID:8196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        234⤵
        
        PID:11552
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        235⤵
        
        PID:12336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        236⤵
        
        PID:12860
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        237⤵
        
        PID:12956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        236⤵
        
        PID:13060
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        237⤵
        
        PID:12444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        232⤵
        
        PID:8852
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        233⤵
        
        PID:7948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        234⤵
        
        PID:12304
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        235⤵
        
        PID:12420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        234⤵
        
        PID:12344
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        235⤵
        
        PID:12388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        230⤵
        
        PID:10872
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        231⤵
        
        PID:10560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        232⤵
        
        PID:12148
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        233⤵
        
        PID:11376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        232⤵
        
        PID:6412
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        233⤵
        
        PID:10840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        228⤵
        
        PID:10916
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        229⤵
        
        PID:8620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        230⤵
        
        PID:11728
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        231⤵
        
        PID:11544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        230⤵
        
        PID:8736
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        231⤵
        
        PID:11568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        226⤵
        
        PID:11620
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        227⤵
        
        PID:8804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        228⤵
        
        PID:12096
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        229⤵
        
        PID:9908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        228⤵
        
        PID:11008
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        229⤵
        
        PID:11148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        224⤵
        
        PID:11716
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        225⤵
        
        PID:9908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        226⤵
        
        PID:11988
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        227⤵
        
        PID:11604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        226⤵
        
        PID:11520
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        227⤵
        
        PID:11736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        222⤵
        
        PID:11952
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        223⤵
        
        PID:11332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        224⤵
        
        PID:10440
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        225⤵
        
        PID:12280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        224⤵
        
        PID:11292
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        225⤵
        
        PID:8816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        220⤵
        
        PID:11268
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        221⤵
        
        PID:5400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        222⤵
        
        PID:11764
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        223⤵
        
        PID:11436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        222⤵
        
        PID:11936
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        223⤵
        
        PID:10984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        218⤵
        
        PID:11420
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        219⤵
        
        PID:12092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        220⤵
        
        PID:10756
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        221⤵
        
        PID:9624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        220⤵
        
        PID:11416
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        221⤵
        
        PID:8560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        216⤵
        
        PID:11008
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        217⤵
        
        PID:8836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        218⤵
        
        PID:11724
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        219⤵
        
        PID:11888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        218⤵
        
        PID:11428
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        219⤵
        
        PID:12040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        214⤵
        
        PID:12068
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        215⤵
        
        PID:12144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        216⤵
        
        PID:10440
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        217⤵
        
        PID:10528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        216⤵
        
        PID:10756
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        217⤵
        
        PID:3300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        212⤵
        
        PID:11380
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        213⤵
        
        PID:11420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        214⤵
        
        PID:11980
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        215⤵
        
        PID:12052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        214⤵
        
        PID:12060
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        215⤵
        
        PID:12116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        210⤵
        
        PID:11092
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        211⤵
        
        PID:10332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        212⤵
        
        PID:11428
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        213⤵
        
        PID:11528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        212⤵
        
        PID:11480
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        213⤵
        
        PID:11556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        208⤵
        
        PID:10896
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        209⤵
        
        PID:10788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        210⤵
        
        PID:8836
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        211⤵
        
        PID:9164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        210⤵
        
        PID:10488
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        211⤵
        
        PID:2628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        206⤵
        
        PID:10656
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        207⤵
        
        PID:10724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        208⤵
        
        PID:9624
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        209⤵
        
        PID:5828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        208⤵
        
        PID:10920
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        209⤵
        
        PID:11080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        204⤵
        
        PID:10752
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        205⤵
        
        PID:11008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        206⤵
        
        PID:5264
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        207⤵
        
        PID:10204
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        206⤵
        
        PID:10028
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        207⤵
        
        PID:10792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        202⤵
        
        PID:10724
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        203⤵
        
        PID:10740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        204⤵
        
        PID:10516
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        205⤵
        
        PID:3388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        204⤵
        
        PID:9928
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        205⤵
        
        PID:9328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        200⤵
        
        PID:10360
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        201⤵
        
        PID:10264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        202⤵
        
        PID:10720
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        203⤵
        
        PID:11172
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        202⤵
        
        PID:9724
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        203⤵
        
        PID:10976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        198⤵
        
        PID:10428
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        199⤵
        
        PID:11016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        200⤵
        
        PID:11000
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        201⤵
        
        PID:10672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        200⤵
        
        PID:9852
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        201⤵
        
        PID:11136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        196⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        197⤵
        
        PID:7240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        198⤵
        
        PID:10416
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        199⤵
        
        PID:10268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        198⤵
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        199⤵
        
        PID:11164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        194⤵
        
        PID:10380
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        195⤵
        
        PID:9720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        196⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        197⤵
        
        PID:10780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        196⤵
        
        PID:10928
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        197⤵
        
        PID:6804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        192⤵
        
        PID:11004
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        193⤵
        
        PID:5828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        194⤵
        
        PID:10616
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        195⤵
        
        PID:9916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        194⤵
        
        PID:9620
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        195⤵
        
        PID:10716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        190⤵
        
        PID:10652
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        191⤵
        
        PID:10836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        192⤵
        
        PID:10224
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        193⤵
        
        PID:9220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        192⤵
        
        PID:8400
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        193⤵
        
        PID:10288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        188⤵
        
        PID:9620
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        189⤵
        
        PID:9656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        190⤵
        
        PID:10668
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        191⤵
        
        PID:10728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        190⤵
        
        PID:10736
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        191⤵
        
        PID:10804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        186⤵
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        187⤵
        
        PID:9888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        188⤵
        
        PID:10252
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        189⤵
        
        PID:10312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        188⤵
        
        PID:10480
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        189⤵
        
        PID:10548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        184⤵
        
        PID:7580
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        185⤵
        
        PID:10056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        186⤵
        
        PID:8304
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        187⤵
        
        PID:9796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        186⤵
        
        PID:8172
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        187⤵
        
        PID:9832
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        182⤵
        
        PID:9704
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        183⤵
        
        PID:7400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        184⤵
        
        PID:9776
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        185⤵
        
        PID:6552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        184⤵
        
        PID:9220
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        185⤵
        
        PID:7480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        180⤵
        
        PID:8276
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        181⤵
        
        PID:10044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        182⤵
        
        PID:9900
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        183⤵
        
        PID:9868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        182⤵
        
        PID:9940
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        183⤵
        
        PID:9588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        178⤵
        
        PID:9612
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        179⤵
        
        PID:9772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        180⤵
        
        PID:9924
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        181⤵
        
        PID:1504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        180⤵
        
        PID:9984
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        181⤵
        
        PID:9244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        176⤵
        
        PID:8960
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        177⤵
        
        PID:9392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        178⤵
        
        PID:10000
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        179⤵
        
        PID:9788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        178⤵
        
        PID:10004
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        179⤵
        
        PID:10180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        174⤵
        
        PID:9868
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        175⤵
        
        PID:9948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        176⤵
        
        PID:9360
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        177⤵
        
        PID:9388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        176⤵
        
        PID:7228
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        177⤵
        
        PID:9564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        172⤵
        
        PID:9620
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        173⤵
        
        PID:9668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        174⤵
        
        PID:9920
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        175⤵
        
        PID:10008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        174⤵
        
        PID:10020
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        175⤵
        
        PID:10068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        170⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        171⤵
        
        PID:8288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        172⤵
        
        PID:9252
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        173⤵
        
        PID:9316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        172⤵
        
        PID:9324
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        173⤵
        
        PID:9436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        168⤵
        
        PID:6552
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        169⤵
        
        PID:8536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        170⤵
        
        PID:8792
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        171⤵
        
        PID:8380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        170⤵
        
        PID:6400
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        171⤵
        
        PID:8404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        166⤵
        
        PID:8968
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        167⤵
        
        PID:9020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        168⤵
        
        PID:8288
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        169⤵
        
        PID:8528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        168⤵
        
        PID:9080
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        169⤵
        
        PID:2552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        164⤵
        
        PID:8540
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        165⤵
        
        PID:8876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        166⤵
        
        PID:5484
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        167⤵
        
        PID:8232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        166⤵
        
        PID:9164
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        167⤵
        
        PID:9152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        162⤵
        
        PID:8256
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        163⤵
        
        PID:8824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        164⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        165⤵
        
        PID:8648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        164⤵
        
        PID:8304
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        165⤵
        
        PID:8668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        160⤵
        
        PID:8872
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        161⤵
        
        PID:8984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        162⤵
        
        PID:8792
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        163⤵
        
        PID:8956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        162⤵
        
        PID:9124
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        163⤵
        
        PID:8916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        158⤵
        
        PID:8452
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        159⤵
        
        PID:8624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        160⤵
        
        PID:9016
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        161⤵
        
        PID:5512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        160⤵
        
        PID:9048
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        161⤵
        
        PID:7236
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        156⤵
        
        PID:6552
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        157⤵
        
        PID:8196
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        158⤵
        
        PID:8500
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        159⤵
        
        PID:8548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        158⤵
        
        PID:8644
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        159⤵
        
        PID:8692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        154⤵
        
        PID:7400
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        155⤵
        
        PID:6888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        156⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        157⤵
        
        PID:8248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        156⤵
        
        PID:6536
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        157⤵
        
        PID:8340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        152⤵
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        153⤵
        
        PID:5716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        154⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        155⤵
        
        PID:6676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        154⤵
        
        PID:6552
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        155⤵
        
        PID:216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        150⤵
        
        PID:7364
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        151⤵
        
        PID:6836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        152⤵
        
        PID:7968
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        153⤵
        
        PID:784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        152⤵
        
        PID:6480
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        153⤵
        
        PID:5360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        148⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        149⤵
        
        PID:7072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        150⤵
        
        PID:6236
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        151⤵
        
        PID:7932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        150⤵
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        151⤵
        
        PID:6168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        146⤵
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        147⤵
        
        PID:5580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        148⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        149⤵
        
        PID:1808
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        148⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        149⤵
        
        PID:7640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        144⤵
        
        PID:8096
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        145⤵
        
        PID:1904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        146⤵
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        147⤵
        
        PID:7352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        146⤵
        
        PID:8148
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        147⤵
        
        PID:8136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        142⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        143⤵
        
        PID:7588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        144⤵
        
        PID:7352
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        145⤵
        
        PID:7104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        144⤵
        
        PID:7564
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        145⤵
        
        PID:7420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        140⤵
        
        PID:7172
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        141⤵
        
        PID:2900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        142⤵
        
        PID:7488
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        143⤵
        
        PID:5872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        142⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        143⤵
        
        PID:6396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        138⤵
        
        PID:8136
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        139⤵
        
        PID:6444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        140⤵
        
        PID:7072
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        141⤵
        
        PID:7448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        140⤵
        
        PID:7812
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        141⤵
        
        PID:5676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        136⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        137⤵
        
        PID:8132
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        138⤵
        
        PID:6452
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        139⤵
        
        PID:7148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        138⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        139⤵
        
        PID:4360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        134⤵
        
        PID:7588
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        135⤵
        
        PID:7584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        136⤵
        
        PID:7016
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        137⤵
        
        PID:7700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        136⤵
        
        PID:6152
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        137⤵
        
        PID:6208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        132⤵
        
        PID:7504
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        133⤵
        
        PID:6276
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        134⤵
        
        PID:7896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        135⤵
        
        PID:7724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        136⤵
        
        PID:6236
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        137⤵
        
        PID:7656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        136⤵
        
        PID:5728
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        137⤵
        
        PID:4604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        130⤵
        
        PID:7756
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        131⤵
        
        PID:8096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        132⤵
        
        PID:7572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        133⤵
        
        PID:8144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        134⤵
        
        PID:6812
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        135⤵
        
        PID:6688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        134⤵
        
        PID:5860
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        135⤵
        
        PID:3988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        128⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        129⤵
        
        PID:6788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        130⤵
        
        PID:8104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        131⤵
        
        PID:7524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        132⤵
        
        PID:7672
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        133⤵
        
        PID:7548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        132⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        133⤵
        
        PID:3448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        126⤵
        
        PID:8032
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        127⤵
        
        PID:8112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        128⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        129⤵
        
        PID:7596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        130⤵
        
        PID:6812
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        131⤵
        
        PID:5564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        130⤵
        
        PID:7532
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        131⤵
        
        PID:5340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        124⤵
        
        PID:7672
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        125⤵
        
        PID:7812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        126⤵
        
        PID:6688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        127⤵
        
        PID:2272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        128⤵
        
        PID:7584
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        129⤵
        
        PID:4660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        128⤵
        
        PID:6368
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        129⤵
        
        PID:7872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        122⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        123⤵
        
        PID:6224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        124⤵
        
        PID:7680
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        125⤵
        
        PID:7740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        126⤵
        
        PID:6888
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        127⤵
        
        PID:6740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        126⤵
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        127⤵
        
        PID:5056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        120⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        121⤵
        
        PID:6888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        122⤵
        
        PID:6612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        123⤵
        
        PID:6788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        124⤵
        
        PID:7580
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        125⤵
        
        PID:7664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        124⤵
        
        PID:7764
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        125⤵
        
        PID:7916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        118⤵
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        119⤵
        
        PID:6156
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        120⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        121⤵
        
        PID:6208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        122⤵
        
        PID:6552
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        123⤵
        
        PID:5188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        122⤵
        
        PID:5724
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        123⤵
        
        PID:7312
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        116⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        117⤵
        
        PID:6152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        118⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        119⤵
        
        PID:6804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        120⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        121⤵
        
        PID:1984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        120⤵
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        121⤵
        
        PID:7144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        114⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        115⤵
        
        PID:7016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        116⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        117⤵
        
        PID:5920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        118⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        119⤵
        
        PID:6560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        118⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        119⤵
        
        PID:5720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        112⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        113⤵
        
        PID:2864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        114⤵
        
        PID:6364
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        115⤵
        
        PID:5416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        116⤵
        
        PID:6548
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        117⤵
        
        PID:6508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        116⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        117⤵
        
        PID:7108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        110⤵
        
        PID:6472
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        111⤵
        
        PID:6824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        112⤵
        
        PID:6288
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        113⤵
        
        PID:5856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        114⤵
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        115⤵
        
        PID:2304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        114⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        115⤵
        
        PID:5072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        108⤵
        
        PID:6568
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        109⤵
        
        PID:7072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        110⤵
        
        PID:5384
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        111⤵
        
        PID:6836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        112⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        113⤵
        
        PID:6908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        112⤵
        
        PID:6540
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        113⤵
        
        PID:7028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        106⤵
        
        PID:6964
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        107⤵
        
        PID:3388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        108⤵
        
        PID:5624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        109⤵
        
        PID:2940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        110⤵
        
        PID:7036
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        111⤵
        
        PID:4548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        110⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        111⤵
        
        PID:5032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        104⤵
        
        PID:7016
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        105⤵
        
        PID:5128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        106⤵
        
        PID:6292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        107⤵
        
        PID:4668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        108⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        109⤵
        
        PID:6072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        108⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        109⤵
        
        PID:3724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        102⤵
        
        PID:5668
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        103⤵
        
        PID:5772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        104⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        105⤵
        
        PID:5508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        106⤵
        
        PID:7080
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        107⤵
        
        PID:5352
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        106⤵
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        107⤵
        
        PID:5652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        100⤵
        
        PID:7088
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        101⤵
        
        PID:6096
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        102⤵
        
        PID:7104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        103⤵
        
        PID:6032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        104⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        105⤵
        
        PID:6272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        104⤵
        
        PID:7040
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        105⤵
        
        PID:2576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        98⤵
        
        PID:5616
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        99⤵
        
        PID:5232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        100⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        101⤵
        
        PID:5820
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        102⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        103⤵
        
        PID:5704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        102⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        103⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        104⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:9096
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        105⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        105⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:10220
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        105⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        104⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        105⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        105⤵
        
        PID:6104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        96⤵
        
        PID:5688
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        97⤵
        
        PID:5252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        98⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        99⤵
        
        PID:7004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        100⤵
        
        PID:6452
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        101⤵
        
        PID:404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        100⤵
        
        PID:6888
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        101⤵
        
        PID:5220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        94⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        95⤵
        
        PID:5516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        96⤵
        
        PID:7036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        97⤵
        
        PID:6624
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        98⤵
        
        PID:6496
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        99⤵
        
        PID:6932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        98⤵
        
        PID:5688
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        99⤵
        
        PID:6648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        92⤵
        
        PID:5236
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        93⤵
        
        PID:2080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        94⤵
        
        PID:5632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        90⤵
        
        PID:5456
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        91⤵
        
        PID:5464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        92⤵
        
        PID:5612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        88⤵
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        89⤵
        
        PID:2372
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        90⤵
        
        PID:5288
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        86⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        87⤵
        
        PID:2428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        88⤵
        
        PID:4896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        84⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        85⤵
        
        PID:5648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        86⤵
        
        PID:5112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        82⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        83⤵
        
        PID:5964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        84⤵
        
        PID:6108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        80⤵
        
        PID:5768
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        81⤵
        
        PID:5740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        82⤵
        
        PID:5960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        78⤵
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        79⤵
        
        PID:5548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        80⤵
        
        PID:5652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        76⤵
        
        PID:5424
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        77⤵
        
        PID:5444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        78⤵
        
        PID:5696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        74⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        75⤵
        
        PID:5440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        76⤵
        
        PID:5448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        72⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        73⤵
        
        PID:5220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        74⤵
        
        PID:4004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        70⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        71⤵
        
        PID:5320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        72⤵
        
        PID:2860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        68⤵
        
        PID:5984
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        69⤵
        
        PID:5980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        70⤵
        
        PID:2112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        66⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        67⤵
        
        PID:6092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        68⤵
        
        PID:6068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        64⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        65⤵
        
        PID:5752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        66⤵
        
        PID:5748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        62⤵
        
        PID:5712
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        63⤵
        
        PID:5696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        64⤵
        
        PID:5516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        60⤵
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        61⤵
        
        PID:5480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        62⤵
        
        PID:5628
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        58⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        59⤵
        
        PID:5484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        60⤵
        
        PID:5440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        56⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        57⤵
        
        PID:5264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        58⤵
        
        PID:5240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        54⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        55⤵
        
        PID:6104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        56⤵
        
        PID:5320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        52⤵
        
        PID:6000
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        53⤵
        
        PID:5968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        54⤵
        
        PID:6068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        50⤵
        
        PID:5776
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        51⤵
        
        PID:5792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        52⤵
        
        PID:6052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        48⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        49⤵
        
        PID:5652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        50⤵
        
        PID:5848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        46⤵
        
        PID:5384
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        47⤵
        
        PID:5540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        48⤵
        
        PID:4600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        44⤵
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        45⤵
        
        PID:5428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        46⤵
        
        PID:5224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        42⤵
        
        PID:5216
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        43⤵
        
        PID:5272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        44⤵
        
        PID:2120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        40⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        41⤵
        
        PID:1976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        42⤵
        
        PID:5364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        38⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        39⤵
        
        PID:6064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        40⤵
        
        PID:4404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        36⤵
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        37⤵
        
        PID:5948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        38⤵
        
        PID:6052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        34⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        35⤵
        
        PID:5764
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        36⤵
        
        PID:5864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        32⤵
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        33⤵
        
        PID:5548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        34⤵
        
        PID:5680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        30⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        31⤵
        
        PID:5432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        32⤵
        
        PID:5528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        28⤵
        
        PID:5216
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        29⤵
        
        PID:5244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        30⤵
        
        PID:5364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        26⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        27⤵
        
        PID:3296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        28⤵
        
        PID:6980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        29⤵
        
        PID:6872
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        30⤵
        
        PID:6816
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        31⤵
        
        PID:6332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        30⤵
        
        PID:6300
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        31⤵
        
        PID:6904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        24⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        25⤵
        
        PID:656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        26⤵
        
        PID:4404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        22⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        23⤵
        
        PID:860
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        24⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        25⤵
        
        PID:5052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        26⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        27⤵
        
        PID:408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        26⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        27⤵
        
        PID:996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        20⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        21⤵
        
        PID:4768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        22⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        23⤵
        
        PID:1632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        24⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        25⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        26⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6324
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        27⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        27⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        26⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        27⤵
        
        PID:7136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        24⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        25⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        26⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6844
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        27⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        27⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        26⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        27⤵
        
        PID:4572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        18⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        19⤵
        
        PID:3192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        20⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        21⤵
        
        PID:1816
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        22⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        23⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        24⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6968
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        25⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        25⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        24⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        25⤵
        
        PID:6660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        22⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        23⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        24⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        25⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        25⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        24⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        25⤵
        
        PID:6664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        16⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        17⤵
        
        PID:5000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        18⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        19⤵
        
        PID:1340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        20⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        21⤵
        
        PID:2020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        20⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        21⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 1488
        22⤵
        Program crash
        
        PID:6112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        14⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        15⤵
        
        PID:684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        16⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        17⤵
        
        PID:4616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        18⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        19⤵
        
        PID:4548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        18⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        19⤵
        
        PID:324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 1556
        20⤵
        Program crash
        
        PID:4464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        14⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        15⤵
        
        PID:2368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        16⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        17⤵
        
        PID:1108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        16⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        17⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        18⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7236
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        19⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:8172
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        19⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        18⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        19⤵
        
        PID:8852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3116
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        14⤵
        Executes dropped EXE
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        15⤵
        
        PID:1620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        14⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        15⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        16⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6480
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        17⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7192
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        17⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        16⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        17⤵
        
        PID:904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3488
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        11⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        14⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        15⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5928
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        15⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        14⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        15⤵
        
        PID:8004
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        12⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5900
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        13⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        13⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        12⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        13⤵
        
        PID:8140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        12⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6236
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        13⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4124
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        13⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        12⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        13⤵
        
        PID:6400
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SERVER~1.EXE
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3852
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 1032
        10⤵
        Program crash
        
        PID:6232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3084
- - C:\Users\Admin\AppData\Local\Temp\SERVER BOT.EXE
    "C:\Users\Admin\AppData\Local\Temp\SERVER BOT.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4324
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER~1.EXE
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4192
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 1488
        8⤵
        Program crash
        
        PID:7108
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        8⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6340
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        9⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        9⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        8⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        9⤵
        
        PID:7844
- C:\Users\Admin\AppData\Local\Temp\SERVER BOT.EXE
  "C:\Users\Admin\AppData\Local\Temp\SERVER BOT.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER BOT.EXE
    "C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER BOT.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3764
    - - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4640
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:9184
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:10164
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        7⤵
        
        PID:10144
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        6⤵
        
        PID:9812
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        7⤵
        
        PID:10260
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5000
    - - C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        
        C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2888
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6828
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        7⤵
        
        PID:3016
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        6⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        7⤵
        
        PID:7580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 324 -ip 324
1⤵
PID:5348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 420 -ip 420
1⤵
PID:6860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5000 -ip 5000
1⤵
PID:5320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3980 -ip 3980
1⤵
PID:6092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1108 -ip 1108
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4548 -ip 4548
1⤵
PID:5372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
368KB

MD5
a344438de9e499ca3d9038688440f406

SHA1
c961917349de7e9d269f6f4a5593b6b9d3fcd4d2

SHA256
715f6420c423ae4068b25a703d5575f7c147b26e388f0fff1ae20c6abe821557

SHA512
8bf3c621725fddafa6326b057fee9beee95966e43c5fbab40ebaa4a1a64d17acca97a19d0ece10c3574e13e194ff191316871d1d46d4d74ffc0ac3efb403bca9

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

Filesize
5.7MB

MD5
09acdc5bbec5a47e8ae47f4a348541e2

SHA1
658f64967b2a9372c1c0bdd59c6fb2a18301d891

SHA256
1b5c715d71384f043843ea1785a6873a9f39d2daae112ccdeffcd88b10a3a403

SHA512
3867bf98e1a0e253114a98b78b047b0d8282b5abf4aaf836f31cc0e26224e2a1b802c65df9d90dc7696a6dbcb9a8e4b900f1d1299e1b11e36f095ebaf8a2e5b8

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

Filesize
175KB

MD5
576410de51e63c3b5442540c8fdacbee

SHA1
8de673b679e0fee6e460cbf4f21ab728e41e0973

SHA256
3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe

SHA512
f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
322302633e36360a24252f6291cdfc91

SHA1
238ed62353776c646957efefc0174c545c2afa3d

SHA256
31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c

SHA512
5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

Filesize
183KB

MD5
9dfcdd1ab508b26917bb2461488d8605

SHA1
4ba6342bcf4942ade05fb12db83da89dc8c56a21

SHA256
ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5

SHA512
1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

Filesize
92KB

MD5
176436d406fd1aabebae353963b3ebcf

SHA1
9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a

SHA256
2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f

SHA512
a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

Filesize
125KB

MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

Filesize
454KB

MD5
bcd0f32f28d3c2ba8f53d1052d05252d

SHA1
c29b4591df930dabc1a4bd0fa2c0ad91500eafb2

SHA256
bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb

SHA512
79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

Download Submit
C:\Users\Admin\AppData\Local\0b3abc7ee26025431112385cdb7daa68\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
368B

MD5
408f667310bc48ddad74fa91417d31c8

SHA1
8d02dc395fb21fa998e7d965770faad1c3a0ddbb

SHA256
6e1a9cbb64929531afeec480eb402184dc76915297b672af00149749ed980c3a

SHA512
a445ae0041a975d6d8e3c73272bf209caad40b953688b1905e350e93672b497f24101ab88614e474e83c2b422511c52da8e5dd38c3a4abacb25ce79bba614f43

Download Submit
C:\Users\Admin\AppData\Local\0f9df786692a67ed658c193a7ae69544\Admin@WLWOBVQV_en-US\Directories\Temp.txt

Filesize
4KB

MD5
b9c2fceb9b4ec3e94b71d31852d98ba8

SHA1
9765cc1f015c5214d948f7afa8265afb8199847d

SHA256
8d54d43f8271caa7adda9fc2524ff1b03d75741a9c4c20547054956b9b25e51c

SHA512
8896585abec18e2968452570194d72c3a191722b97adcd0d5221187b72364fd61825ed405c859314dd92d396f3992815f53542437f303f55fcd6bc579c935ba0

Download Submit
C:\Users\Admin\AppData\Local\0f9df786692a67ed658c193a7ae69544\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
514B

MD5
7d6dc73bce965f42e25bb95c2521f1b1

SHA1
b95782c62913bec9161a109563e2ea781463a84e

SHA256
2888952f1bc74af65c4a486f95e588eada25ea307f721148ffa49e6b55c50cc7

SHA512
cf8ab48bc3f3ae4865c9c63eecddeb9551448747f0e7d4ffa170f02d832818a079f54cfaef8417ce9b712398f56b0259f3e8df20f815b516bab5d77fc45977e8

Download Submit
C:\Users\Admin\AppData\Local\0f9df786692a67ed658c193a7ae69544\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
939B

MD5
3ef3648f4d14d83b891e2a583b3d2af3

SHA1
2099dc9a3a1740f0d93954ffb9bd3c34a8cadea4

SHA256
eab4b5587bf9c340e458c8908a85e960c3806bffc4baa4a0606ee6035e6da246

SHA512
9896ec2ec0659ce23ce6688008d3105037a20e0819c751a9ae894e62cdaedf89721cca886650c4a376c69fb15c9e3ad8089e5c626a7830022094d16d75e09f43

Download Submit
C:\Users\Admin\AppData\Local\0f9df786692a67ed658c193a7ae69544\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
462B

MD5
49ca13c6c6f1d85e62047303c4048487

SHA1
032416822c6dc48d830e81be62e6b0a6fb190ddf

SHA256
17dad3837924a77b2cc83130a306eed32c847e9e1a5ff7e7c023f9e33e3d7d03

SHA512
0fcc69d312b313b3d080854ab347d67a56e34760486b91a54ef37a0f24b31f33156dfdffef186360bf1989745bca5d45f7aa776f38b85e0c881cd7401d687255

Download Submit
C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
306B

MD5
305c196b1605c281134c3ec936ca394d

SHA1
6375b3abea993495c6d1a1bc9989ab5aa01a5edf

SHA256
baabd0ad197f82e9ec65afd20a9a022f41130285862250ea9bc735877dc7b048

SHA512
1d4447bf509df08b54af008e8f11a1ab450f740345df1b0c9cc60f47586f9152b21d1be9765a48c1c27a9cbbf8fa0a8d1ac3106d1fc50a639f342849d2445bd8

Download Submit
C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
521B

MD5
12b29b8b763d499b97087902c0d7ba25

SHA1
d7aa7513adcfd899679962b772c7d4a121e419b5

SHA256
9e27b31779f8b9a7445e26fddb223cc639f7307c1b66d7428df41855d2486e81

SHA512
964a068e0892356d08fe38797b88087172b3c3ea5c1a75f6e54b668a4839f388aedc1c4bf2f9a6dc3a416017f9daa89fb7e36547ae7f13a12057c9250c932dcc

Download Submit
C:\Users\Admin\AppData\Local\2d6c356d977278447729b5b1420edf99\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
983B

MD5
cb837ece22d76a614db701ca6e779146

SHA1
3b8727a5c3d285cd98fbea79a40d67da7fe995b0

SHA256
038dcac3353b57866113ce9c8e9ff456c703528edff501539e95dddbde8efdc8

SHA512
badc980ee586a8f3920eae572fb2b8b70d1223399215feeeb9769f2b648e16b5707cb21441d4890b6f63be5096f7f213265136d76a30273d8da3fe22dd2f9469

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\Directories\Temp.txt

Filesize
10KB

MD5
4b6991bbb905a25b35bff1909da0dcec

SHA1
00f214183c46eb4a41e4ea04c21359bbe21286a5

SHA256
cf8917a62decd1f128ca4e4834d9e4c2cc961a03d8c78e5bcbf66b4ba5ab066d

SHA512
153664c320086475f32f3b4b26751ab5bced32606d2cc6cddbb0dc50073c838d5b62075a6d8ac222475b616565776bc6dbad6ca00db3a4aa7d09bdd4a33376b2

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
425B

MD5
62d03778f4c19b4ad57aaec27a7d8fc5

SHA1
4aab4184b8a29a32ddf7b86301b2ec2a5d74bbc7

SHA256
a664e5ade210203daa815b28f781a69bbb8b02d33c7640f97ae97bb5676e9ed5

SHA512
058df2b6fd2f24b992d4b8c6b831b4139496172b7d8b28713549afbaa4217eef63ae1860dd770935fb5719363ddc334e0fd940f6aaf6aa3b2fca1f03ebafc387

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
455B

MD5
9becb5bb017f97d0bc4523bdb36a7f2d

SHA1
f04e64d419ddffc38a003ac53f652515729082de

SHA256
9c672b81377087dccc86c05d4192b286da8d4f776eb94d62608345c64980a62a

SHA512
23696797980d6c6e2938e1cabefc12a9bc797a0633197f4a27606871247882f61f3a1d3f3cccaa3c4625c69978b665a45bd002b0ab3024e14cdd259398c739c6

Download Submit
C:\Users\Admin\AppData\Local\419b8aaa7cba6e4dff05a70cc7016228\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
664B

MD5
57d8a83237d36518a1c5e61adeb96f4f

SHA1
ab5a31d723dec26bbb3304b81224889fbc7015b8

SHA256
5f3d8446cd2fecec85e71ab1768fb67ff19a1aa8ac1212a4a7e4e37a4220f6db

SHA512
ca1712078ede48f9aab5a58ef4a8a8a15dba15c8f57bab589836059dcd796ec3885b73da0584eb5ad2de1c98aafc01006580a458813ec2eab61cbce2a6b1d6b7

Download Submit
C:\Users\Admin\AppData\Local\4c72cbc49fc893b68d51772d0468ae43\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
501B

MD5
d22cc3d9ed03afe97af494382b009e3a

SHA1
5e1e0ca008b5b49967fef43693cd145e88fefcbd

SHA256
4a78616fc579092fbecdf012aa872bbdc1d160012d101e4c9f71f502a289768f

SHA512
df55f6cbfb435b2993959a4d12f6eea4aee39c26d960a649bec2db57c7c864da61f89576f2207682a3c8c279458ad2bdd45b19109207af7f8fda084e7cfea144

Download Submit
C:\Users\Admin\AppData\Local\4c72cbc49fc893b68d51772d0468ae43\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
157B

MD5
7be1ef29f0bdf1f6984fc4637f891189

SHA1
1b0a87fe5b3bbc7b75db8ececeaf8a6f5305570e

SHA256
8286b91fdb381d25ca3daa27e102a0e6bdce9311f6ed0e4115ba94a42cb89bd1

SHA512
aecfab2c00e2a4e82ab17c63035c3165bf2f4ce30a934beb2caf5c2e5919b7f09c0c698aefd6cecb4bd264397e54777ebff32e51b91f0ea26ed5502f25c5a3ad

Download Submit
C:\Users\Admin\AppData\Local\4c72cbc49fc893b68d51772d0468ae43\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
365B

MD5
e09f7149ab86f0bc4aa8934d195f0348

SHA1
2a09274491858f0f441f4e1883584febb0d518b6

SHA256
2bf3f38306ad50221baec9ea9a79662342dd5c6b25d0545997686de630ed844a

SHA512
ccbd9dea03a784fd4d0f52af41d47a061f3b98774632cdf50f178933caffbff73486efa3cf95e6acda036417e30fa0d5851b3893d9421bcbdbce86175013b309

Download Submit
C:\Users\Admin\AppData\Local\51c533bf59b511f2f6e36fb839dd6db9\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Local\51c533bf59b511f2f6e36fb839dd6db9\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\51c533bf59b511f2f6e36fb839dd6db9\Admin@WLWOBVQV_en-US\System\Desktop.jpg

Filesize
75KB

MD5
93e4bb35d00c1592743faee652114eb7

SHA1
d3a166cfd0a68553c2d91e3157dc4f4e0cae7072

SHA256
9cfe0f1bfc6998133aeddbd606b2a110f4d490edfa7f8e4e6c9cf6b6858ac92a

SHA512
abce2d3ff166869d4d6cb3845bb95376db0a86f58f162775a5996b43aebada48177be9b7f6a9c9bf6d1afa61539751d1157b24003dfc36be5f22c3838f28f160

Download Submit
C:\Users\Admin\AppData\Local\51c533bf59b511f2f6e36fb839dd6db9\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
309B

MD5
d01607a4f4621f14ac0416148d4d5320

SHA1
1746da453fca97d72ea2cd57bc0c8fa2fa080f26

SHA256
8b210ab24603d176afe4d198cfdc26e9087beb0e941eb9306f0667c44781ea33

SHA512
d5e177e4a79f10a80e33cccbb82bec4c5e9b624879ffd330b051036918d8562770222ea0e875c8c04daf9187579a227546c6b707a6c8e886eba52fdf2aa2fc22

Download Submit
C:\Users\Admin\AppData\Local\51c533bf59b511f2f6e36fb839dd6db9\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
284B

MD5
1244cd6b0603ba143f9d5d569bd9be9f

SHA1
abc541e490ca08fe72e6956dcac31dddb79c584a

SHA256
e04a6ce94f8201c1bfd6fa467f973783a5aee5399606ccec769168b88ac490f4

SHA512
0dd040901033b813fb056c9b461a41f4f154c4b22b127402dde4537203fb90a742c7c63648f252fe124559ed4ce90ad95690ff57e9285f98dcbdf2aab798a5da

Download Submit
C:\Users\Admin\AppData\Local\51c533bf59b511f2f6e36fb839dd6db9\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
725B

MD5
7a7056c4b87548fabdb1b42077bc6d1d

SHA1
7e47839d2e67356020764b5a5f5ee712328f081f

SHA256
21fcfaa8e1c63c6ad208aa8156f53dc0652748308da5953af0a83baebde6ea64

SHA512
91c24d86778aa8bf1ab466dfd605f1daf1c461b17d17a8b97a0e0deaef1c027ce8b4ef2164328fc1b7eeb3d16d332bf26100a3f4b8ef3b9e0b09979df451d2f0

Download Submit
C:\Users\Admin\AppData\Local\54af8aa9286eab1ac406bb1322b37d00\Admin@WLWOBVQV_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
210B

MD5
1267f4be35fbe5510886cf08ddee9fdd

SHA1
04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9

SHA256
ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3

SHA512
6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b

Download Submit
C:\Users\Admin\AppData\Local\54af8aa9286eab1ac406bb1322b37d00\Admin@WLWOBVQV_en-US\Directories\Temp.txt

Filesize
11KB

MD5
0983c5f34b480cc69b65dc43ee026042

SHA1
a07de5a48105d39f0acfe8b606a211e8f2a603a2

SHA256
62857e40fe13f90476f041c18e3b40baf565016d02250df731f6451127243068

SHA512
f299f92ebb6d6481ae63ca0e2850b7886181432f80e5c4400f0e0fcef4ee6ae80c72e1319dbc32b349706030d6972bb81f66ce8aaaadc2850173f86711d07c24

Download Submit
C:\Users\Admin\AppData\Local\54af8aa9286eab1ac406bb1322b37d00\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
521B

MD5
71b3303d7dfbc9fb8148053eddddfb38

SHA1
9c696d07453c5daece7bdb067f0cddb0f3c02731

SHA256
8a750be7707bc297eec117914e0fcd10187be40a852f6aa6deb8d083230df452

SHA512
77c68720342a2d35a610b7eabccf21e6724c0c7defadbb827754f8cadc1d1f8be3df0b5fc21d222457c12aba84e43d23c85d5558b9c5cbabd556ac554caadfe0

Download Submit
C:\Users\Admin\AppData\Local\54af8aa9286eab1ac406bb1322b37d00\Admin@WLWOBVQV_en-US\System\ScanningNetworks.txt

Filesize
84B

MD5
58cd2334cfc77db470202487d5034610

SHA1
61fa242465f53c9e64b3752fe76b2adcceb1f237

SHA256
59b3120c5ce1a7d1819510272a927e1c8f1c95385213fccbcdd429ff3492040d

SHA512
c8f52d85ec99177c722527c306a64ba61adc3ad3a5fec6d87749fbad12da424ba6b34880ab9da627fb183412875f241e1c1864d723e62130281e44c14ad1481e

Download Submit
C:\Users\Admin\AppData\Local\8d777117e71cda01d853849f0f0e0744\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
725B

MD5
850230ce36d8933ecdd62c1f5bb4420a

SHA1
c6cb3cda3a4ee1c468f68c851f2e6729d2bc8556

SHA256
990f5cf50f87c54bcd59d64d8288fc07773e9b21626fc309f779ee1c7b041f14

SHA512
c53e6ebb7f63165e4db6d93a6515925bc6f34f3de17e37c92fdac6256e003f4c0f49f417bb26adc4d99e614a778612a6a490ec31ce4288e8763f61df0d010ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\SERVER BOT.EXE

Filesize
518KB

MD5
5f043e0db920bdb7fcc024640bffa889

SHA1
5035514399e0a202c8d1f2b13730e939c6be0aba

SHA256
ea024dfb7ea4a70c6b6387a04c23d4c0bfe52c69ca5c493c5391de29ff07d1c2

SHA512
97eb910998c59219030c6f8214549ce0a7ba4a6fcdb47e08f2f00ab87c6c039f6634f59ec7167272c16a656bd317dc58c3b05e608166e233a6ce76404bbb21d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVER BOT.EXE

Filesize
558KB

MD5
1c8096305a5e96aafad54356e63a5d09

SHA1
757b9748b708b5ad0b45f05e22fe5cb87acc8318

SHA256
12981fcff8fae053977c4e0d18ee8033996bce16702008c5ba57498bbd35ac79

SHA512
88ad12fae3b91124361ec20a9f3138f082c670acaf365e3da2ff11f4252d05e5b26f09f05d55cc684855ceca304d526fa67f16130f85c1f42638d2136dd9cd38

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

Filesize
232KB

MD5
60e907c5d3c0aa96e45b8db5d2a2ca80

SHA1
2e23304cf254c39bbfae227a6c7dde34eedbbc3c

SHA256
4e61c25d6ef620a0b4c800091860cdc38928f2ec75e2097700d4d94cc0f87265

SHA512
1ea98aadd284ce7222c488ca32f69eb422532d5682e17453b199b5dcec9318da7bfe6667bc87bff46460881e39ab28d254d6675eb0dd9c06f22a02c5bf204fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYSTEM.EXE

Filesize
232KB

MD5
ca7eb340866d2ad3ecab4a3c862e3ebd

SHA1
d2d0f3c1a8308ea75f799b013655b76413cfb853

SHA256
b4369bfaad90ac4bb613c40ffc1aba17d48f40264dcaaefbfe6b65930cac951d

SHA512
69d4b6c3a7bbb93f1d6e49840da769d9233af251e66cdbd6da0ce5ce302db498711cd35a799ff8f4899dd0b5d5ca16affe412a21e07dfa276fdb292cfe169531

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
cef12327847e0a0619480ecfd8b28826

SHA1
4fe8beb4b7795a794552614ad993ab1670179286

SHA256
59333884653d1b1658f004e34577df0d11b1173563f789b2ed19c10be2e415d4

SHA512
3056f42ff05d9acee68057a6944b6bb19a6d11f23bc93ba8bf07ca4cbd8a42293670a4ab12c18db7a1cadd470d8569021114a0d9ed767eef07678c4952280715

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2A95.tmp.dat

Filesize
114KB

MD5
f0dcd0735cfcef0c15ceda75deb5cb3e

SHA1
af257a650681983a6c9e087615165269a6d0ceab

SHA256
d3ca053889263104532ef68de1a1200f5e1b1177cfeea702e882c5c4075c35ee

SHA512
cc2a123eea72756ce0914ec7c2e077b9f14c6def40a3131fdc02d5f981c5c79bba7859d02296cb1a15e4ff2491818e91c3790706cf46fffdf9a7b7fcb5a33ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2A97.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2AAA.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2AB6.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2ACB.tmp.dat

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2ACC.tmp.dat

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2ACD.tmp.dat

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2BD8.tmp.dat

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\b3739a9836fd4b31afd459a7980e2aac\Admin@WLWOBVQV_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\b3739a9836fd4b31afd459a7980e2aac\Admin@WLWOBVQV_en-US\Directories\Desktop.txt

Filesize
509B

MD5
c4621751bab2882a0d9022f284368988

SHA1
ab75518b9459ee3c30d84ea051a3e7d765b1c221

SHA256
1b759efbe0e8f097caeed0b8d2d6e3cc63db3305564aff5f6fc5573d19f48c48

SHA512
09aa5008b6b61443c2bc8e052d5cc546190a7c94b0f7d57a429d8b36cc4098389988b4cf961179561dc83ead4eb09bbfcfc8702044029f91a7d91d1f005e8014

Download Submit
C:\Users\Admin\AppData\Local\b3739a9836fd4b31afd459a7980e2aac\Admin@WLWOBVQV_en-US\Directories\Documents.txt

Filesize
623B

MD5
efe7215376d6da68ebe4208310c50d2a

SHA1
a6d8a066fe0f1ea68a927ffd1f903df7581d7847

SHA256
d40d293e9e2e53dd29fb5e26e23abe6884cd9c766fb1805ddd9e2dcbc41b9bea

SHA512
05c1bafe77abb4b8b6eb436ef57c0420db2eba2dc2e95540ae335ab0a58287c4d9d1d4c7145cb91b4b2c60eeaea6cce8301747532c7a6b86ebc55e30d0016c47

Download Submit
C:\Users\Admin\AppData\Local\b3739a9836fd4b31afd459a7980e2aac\Admin@WLWOBVQV_en-US\Directories\Downloads.txt

Filesize
768B

MD5
82f720526824c3369b788a04ff7dae25

SHA1
4cd4f920469e177c1e9dbfeeadd75f9bedfc23d4

SHA256
3273f3382da6da4b33af28006b7ee6ab0b8430ecf8e30ed22402e12a1fffdfb3

SHA512
8bd0445ac208d5c8b3cca4a1ae7bfe4e6e88dc78ee65dc596973045c6916ee2fa4cef77b3030e2469304346f932be56aae983a0eb495a2a34f62e015bcdee527

Download Submit
C:\Users\Admin\AppData\Local\b3739a9836fd4b31afd459a7980e2aac\Admin@WLWOBVQV_en-US\Directories\OneDrive.txt

Filesize
25B

MD5
966247eb3ee749e21597d73c4176bd52

SHA1
1e9e63c2872cef8f015d4b888eb9f81b00a35c79

SHA256
8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

SHA512
bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

Download Submit
C:\Users\Admin\AppData\Local\b3739a9836fd4b31afd459a7980e2aac\Admin@WLWOBVQV_en-US\Directories\Pictures.txt

Filesize
375B

MD5
690f237da8eed47283b3a627b1796512

SHA1
2aadf001af3ef39e5afe2a771906e3e088d71fe9

SHA256
6269106a4439cb0fe3a810697b0f070a962470135d6d29d419a4892a9817d2cf

SHA512
43042bd3487ee090b2f164fb2d047ca299bf05c37a70518dcd026b82d6d9edc834e669a2970efa1c73ca6619050f85bc8820f9d22b48fe196a6c0e21e7552180

Download Submit
C:\Users\Admin\AppData\Local\b3739a9836fd4b31afd459a7980e2aac\Admin@WLWOBVQV_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\b3739a9836fd4b31afd459a7980e2aac\Admin@WLWOBVQV_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\b3739a9836fd4b31afd459a7980e2aac\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\b3739a9836fd4b31afd459a7980e2aac\Admin@WLWOBVQV_en-US\System\ProductKey.txt

Filesize
29B

MD5
71eb5479298c7afc6d126fa04d2a9bde

SHA1
a9b3d5505cf9f84bb6c2be2acece53cb40075113

SHA256
f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

SHA512
7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini

Filesize
190B

MD5
d48fce44e0f298e5db52fd5894502727

SHA1
fce1e65756138a3ca4eaaf8f7642867205b44897

SHA256
231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8

SHA512
a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini

Filesize
190B

MD5
87a524a2f34307c674dba10708585a5e

SHA1
e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201

SHA256
d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9

SHA512
7cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38

Download Submit
C:\Users\Admin\AppData\Local\b5a7e8efa0d7e9e5f0e885758badb00e\Admin@WLWOBVQV_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Local\ec025c2ab0533d25cf7bd78c58061070\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
376B

MD5
9f020bc1e974ae3b2ecd72f59d3a4689

SHA1
0624eb41c99da96789ebeec075c2f46758475942

SHA256
562f50227ef4e85a0a0d4d05dd60f75c9c8a497e5f08840dd8ab60fe75ec2c47

SHA512
ed2bdbd90e5c9b0e582a321322a3c5b3e385b12d132175d564249b98a9107ab39b23827e10c6a67ae59f89ffa2ce0e37e937cedc8af66b07061f89baac187d93

Download Submit
C:\Users\Admin\AppData\Local\ec025c2ab0533d25cf7bd78c58061070\Admin@WLWOBVQV_en-US\System\Process.txt

Filesize
924B

MD5
51d81e496ec72c3e9beb2649c77a6f32

SHA1
56b5027c35e81810218adb3027034a65a3c8d22b

SHA256
6340d9d9bd6e8da4f44a1685c302563e026d8f39e04aeb2e9a18fb768f45f647

SHA512
3ddc2f5df8054b8ef54de66269e3abda2f38f742ce223b4be4905114fd1c35ffd818604bdff079769b3f5f55201596f10df0c1560e99502f261ba2f39ad552b1

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
35fbfcca51ec145abb3a3c5fb69d9c23

SHA1
619443ee97b93e4a589985d8228452ae9359db79

SHA256
a4b402e8fefe40e63ab6f84d2a23b5704b4693db49950d1d56de15e9ae7081d7

SHA512
38a1af678be5fc4acefa43fe535c1e11b098d8fa6d7d98277d43c39c59482b89f3688d466685c1d08ecda99fee1eba35dd68524e123402021caada676e69edcc

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
757eba23195094c51e306aec3026078a

SHA1
069ec19891cbc2cae9caf48581a8c3b32692fb84

SHA256
59c0b510a50b30de1a2ef741c0c78a672af80af45f4eda48fb86704b9fbc9ff2

SHA512
88cd79f11ae60f84b86d5a17d2f9036f53d90f08617a2e816b2b2e6ac0ab6da9c42ebb87038790b36a574811fc826c43942de55fa2bd7a4f0f0b620fc167cc2b

Download Submit
C:\Windows\directx.sys

Filesize
80B

MD5
2684c9074d7a93a045bf23f539d5c73c

SHA1
14b6dfb4bd8d7e97c6421167e238fe90ffe833f6

SHA256
67bc1941e88ccc5372ae526182822db2a2ec7807505e666484ee8d31d7774ccf

SHA512
36f6c3672a542a7fa6604c35f696dc2716d97b0f3daa8960191c47509b3025da4355f30d7e3a70d82ebffac32b1525e87d91dd129a051b070e58cc9039fd6260

Download Submit
C:\Windows\directx.sys

Filesize
81B

MD5
e2ca32cb112029efb0a9f83d427a90b4

SHA1
18d352c68dad81e5b2dad7633085f4ccdb7436ae

SHA256
799a7127cbba32b72172006ee641990362b7ecfd88e4a711af8d4b20fcc1466b

SHA512
3336774ddba3390a25bfc03b71ceb9169679a8026a82b172affc936e0ce58261c2499afd33a2d104c667a37e1b9289c24fbdf26ccc6a864fe5435de7743f0177

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
79765fbdcf92b3b4e0f30e70407daf9f

SHA1
1286cbd1d2f19a13d048af38badc35ae5265f125

SHA256
bfcb3579340d6ee21e721c2f66f904e9943c8a72e3594d2055cf80a98839f4fa

SHA512
946b5a80a7fbf5ac018aa73eb4ea71166886064fefd7422334c3fda79a3c4dc09149f2e73cae6b0c5b4f261d487d1019f1350e4d4384850c990b376b0bb08f92

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
bbbf9a9a8a9bb5c0308479ddd4cc6d17

SHA1
b58b87a86105a8c0831b70c6880ae068efbc9ea1

SHA256
536d7b222c62f38e16ac88da98a0b819791d978b251d06ecf1997c52b3a73734

SHA512
18bf3748a8542af82d863028d34368c9cf3cecf955265dacf18d06354e4aa45955186abb09ba0cbc770690c21cd76359fbaad81325340d1762351056658b7b67

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
memory/404-360-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/408-525-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/624-198-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/684-391-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/860-518-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1116-457-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1340-128-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1472-212-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1620-80-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1724-361-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1904-379-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1916-437-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1972-399-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1976-79-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1980-129-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2000-319-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2136-430-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2248-494-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2316-241-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2372-393-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2540-195-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2568-419-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2668-281-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2732-6870-0x00000000065E0000-0x00000000065EA000-memory.dmp

Filesize
40KB

Download
memory/2740-349-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2744-373-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2744-445-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2880-278-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2888-82-0x0000000000AF0000-0x0000000000B30000-memory.dmp

Filesize
256KB

Download
memory/2900-197-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3016-472-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3084-474-0x0000000005CD0000-0x0000000005D62000-memory.dmp

Filesize
584KB

Download
memory/3084-466-0x00000000061A0000-0x0000000006744000-memory.dmp

Filesize
5.6MB

Download
memory/3164-500-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3192-439-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3212-456-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3260-392-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3268-2758-0x0000000006020000-0x000000000602A000-memory.dmp

Filesize
40KB

Download
memory/3296-458-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3296-131-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3424-492-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3488-221-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3532-329-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3644-524-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3644-145-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3764-118-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3896-320-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3964-98-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4004-408-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4036-330-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4056-400-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4084-301-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4276-280-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4280-331-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4324-99-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4384-337-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4404-512-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4552-196-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4640-78-0x00000000000D0000-0x0000000000110000-memory.dmp

Filesize
256KB

Download
memory/4640-100-0x00000000050A0000-0x0000000005106000-memory.dmp

Filesize
408KB

Download
memory/4768-481-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4808-460-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4872-326-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4872-130-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4896-362-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4944-475-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4968-459-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4992-431-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5000-407-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5000-127-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5084-493-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads