nanocore | a11a2b4877664bfacaa49ce46f161af9e03c0a044832260da0c6977c610cbaae

Analysis

max time kernel
64s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe
Size

1.1MB
MD5

aa4c23269c9b3026cf16225badbf7d5f
SHA1

78247b69edd8cf0bdc064fcae5ab31470c62ab3a
SHA256

9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e
SHA512

c9d6716616ddd6cd2ccf4679af1fbd2dff587f89ba89745c122d82fa8aabd6762a59534ad002c4ea5ddc9373328fbae7588f9d4b071f1083ce91915a73f7ab3c
SSDEEP

24576:eNcBtkZXdipp/ZUIdi1iXEjF67x+T4coqS5HaD2XZRm3JbfsGZL:5eCPEZex+T7oqWHayX3+L

Score

10^/10

nanocore netwire wshrat botnet discovery evasion execution keylogger persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

netwire

donphilongz.org:5005

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
uTGwFNvi
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
NetWire
use_mutex
true

Extracted

Family

nanocore

Version

1.2.2.0

donphilongz.org:5070

Mutex

c68af378-9f2e-46e2-88f3-79ec61d84319

Attributes

activate_away_mode
true
backup_connection_host
donphilongz.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-02-01T08:21:40.055121836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5070
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
c68af378-9f2e-46e2-88f3-79ec61d84319
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
donphilongz.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

wshrat

http://strserver1.duckdns.org:8001

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

NetWire RAT payload 10 IoCs

rat

resource	yara_rule
behavioral1/memory/2708-66-0x0000000000400000-0x0000000000430000-memory.dmp	netwire
behavioral1/memory/2708-78-0x0000000000400000-0x0000000000430000-memory.dmp	netwire
behavioral1/memory/1960-158-0x0000000000400000-0x0000000000430000-memory.dmp	netwire
behavioral1/memory/2504-165-0x0000000000400000-0x0000000000430000-memory.dmp	netwire
behavioral1/memory/2500-195-0x0000000000400000-0x0000000000430000-memory.dmp	netwire
behavioral1/memory/2852-213-0x0000000000400000-0x0000000000430000-memory.dmp	netwire
behavioral1/memory/300-182-0x0000000000400000-0x0000000000430000-memory.dmp	netwire
behavioral1/memory/2168-174-0x0000000000400000-0x0000000000430000-memory.dmp	netwire
behavioral1/memory/1960-124-0x0000000000400000-0x0000000000430000-memory.dmp	netwire
behavioral1/memory/2708-58-0x0000000000400000-0x0000000000430000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Wshrat family
wshrat

Blocklisted process makes network request 12 IoCs

flow	pid	Process
8	800	wscript.exe
9	2804	wscript.exe
13	2804	wscript.exe
17	2804	wscript.exe
22	2804	wscript.exe
27	2804	wscript.exe
30	2804	wscript.exe
35	2804	wscript.exe
40	2804	wscript.exe
44	2804	wscript.exe
49	2804	wscript.exe
53	2804	wscript.exe

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles878.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lfQEWRrrdw.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemstability.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles878.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
2996	syststemfile.exe
2748	systemfiles.exe
2836	systemefile.exe
2708	systemefile.exe
2596	systemefile.exe
2248	Host.exe
344	systemstability.exe
2368	systemstability.exe
1920	systemefile.exe
1696	systemstability.exe
2612	systemefile.exe
1960	systemefile.exe
380	systemefile.exe
680	systemefile.exe
2196	systemefile.exe
2068	systemefile.exe
2504	systemefile.exe
752	systemefile.exe
2960	systemefile.exe
2168	systemefile.exe
984	systemefile.exe
876	systemefile.exe
300	systemefile.exe
2308	systemefile.exe
1572	systemefile.exe
2500	systemefile.exe
2124	systemefile.exe
3036	Host.exe
2864	systemefile.exe
2852	systemefile.exe
2576	systemefile.exe
2812	Host.exe
2536	systemefile.exe
2700	systemefile.exe
1684	systemefile.exe
2248	systemefile.exe
2604	systemefile.exe
2736	systemefile.exe
2596	Host.exe
1256	Host.exe
1732	systemefile.exe
2416	systemefile.exe
2192	systemefile.exe
2932	systemefile.exe
2332	systemefile.exe
2120	systemefile.exe
1996	systemefile.exe
1032	systemefile.exe
304	systemefile.exe
2600	systemefile.exe
1356	systemefile.exe
1688	systemefile.exe
288	systemefile.exe
852	systemefile.exe
2320	systemefile.exe
320	systemefile.exe
1524	systemefile.exe
2720	systemefile.exe
2456	systemefile.exe
1344	systemefile.exe
2212	systemefile.exe
1496	systemefile.exe
2164	systemefile.exe
2440	systemefile.exe

Loads dropped DLL 64 IoCs

pid	Process
1880	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe
1880	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe
1880	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe
1880	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe
1880	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe
1880	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe
1880	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe
1880	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe
1880	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe
1880	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe
2776	notepad.exe
2776	notepad.exe
2836	systemefile.exe
2836	systemefile.exe
2708	systemefile.exe
2708	systemefile.exe
2552	notepad.exe
2552	notepad.exe
344	systemstability.exe
344	systemstability.exe
2596	systemefile.exe
268	notepad.exe
268	notepad.exe
1920	systemefile.exe
1920	systemefile.exe
2612	systemefile.exe
2612	systemefile.exe
2500	systemefile.exe
2500	systemefile.exe
2852	systemefile.exe
2852	systemefile.exe
2944	notepad.exe
2944	notepad.exe
2700	systemefile.exe
2700	systemefile.exe
2604	systemefile.exe
2620	notepad.exe
2620	notepad.exe
2712	notepad.exe
2712	notepad.exe
2000	notepad.exe
2000	notepad.exe
3008	systemefile.exe
3008	systemefile.exe
1920	systemefile.exe
1920	systemefile.exe
1624	notepad.exe
1624	notepad.exe
2960	systemefile.exe
2960	systemefile.exe
2104	notepad.exe
2104	notepad.exe
2904	systemefile.exe
2904	systemefile.exe
2624	systemefile.exe
2624	systemefile.exe
1824	notepad.exe
1824	notepad.exe
2668	notepad.exe
2668	notepad.exe
1648	notepad.exe
1648	notepad.exe
2872	notepad.exe
2872	notepad.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\systemfiles878 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemfiles878.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\appdata\\systemefile.exe"	systemefile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\systemfiles878 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemfiles878.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\systemfiles878 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemfiles878.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfQEWRrrdw = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\lfQEWRrrdw.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lfQEWRrrdw = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\lfQEWRrrdw.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\systemfiles878 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\systemfiles878.js\""	wscript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	systemstability.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2836 set thread context of 2708	2836	systemefile.exe	35
PID 344 set thread context of 2368	344	systemstability.exe	42
PID 1920 set thread context of 1960	1920	systemefile.exe	46
PID 2612 set thread context of 380	2612	systemefile.exe	48
PID 2068 set thread context of 2504	2068	systemefile.exe	55
PID 2960 set thread context of 2168	2960	systemefile.exe	58
PID 876 set thread context of 300	876	systemefile.exe	61
PID 1572 set thread context of 2500	1572	systemefile.exe	64
PID 2864 set thread context of 2852	2864	systemefile.exe	69
PID 2536 set thread context of 2700	2536	systemefile.exe	74
PID 2248 set thread context of 2604	2248	systemefile.exe	77
PID 1732 set thread context of 2192	1732	systemefile.exe	85
PID 2416 set thread context of 2120	2416	systemefile.exe	87
PID 1996 set thread context of 304	1996	systemefile.exe	91
PID 1032 set thread context of 1356	1032	systemefile.exe	92
PID 288 set thread context of 320	288	systemefile.exe	99
PID 852 set thread context of 1524	852	systemefile.exe	100
PID 2320 set thread context of 1496	2320	systemefile.exe	104
PID 2720 set thread context of 2384	2720	systemefile.exe	106
PID 2212 set thread context of 2112	2212	systemefile.exe	108
PID 1872 set thread context of 1660	1872	systemefile.exe	115
PID 1652 set thread context of 1480	1652	systemefile.exe	114
PID 2992 set thread context of 3036	2992	systemefile.exe	116
PID 3016 set thread context of 2224	3016	systemefile.exe	118
PID 2748 set thread context of 2940	2748	systemefile.exe	125
PID 2576 set thread context of 2816	2576	systemefile.exe	127
PID 2564 set thread context of 3008	2564	systemefile.exe	126
PID 1620 set thread context of 1008	1620	systemefile.exe	133
PID 1684 set thread context of 1900	1684	systemefile.exe	138
PID 1256 set thread context of 1076	1256	systemefile.exe	140
PID 1372 set thread context of 2012	1372	systemefile.exe	142
PID 332 set thread context of 1920	332	systemefile.exe	146
PID 1904 set thread context of 2960	1904	systemefile.exe	151
PID 2952 set thread context of 3028	2952	systemefile.exe	155
PID 1980 set thread context of 2904	1980	systemefile.exe	160
PID 1028 set thread context of 2624	1028	systemefile.exe	162
PID 2780 set thread context of 2476	2780	systemefile.exe	167
PID 2132 set thread context of 1788	2132	systemefile.exe	174
PID 476 set thread context of 2520	476	systemefile.exe	182
PID 376 set thread context of 2548	376	systemefile.exe	180
PID 2008 set thread context of 2068	2008	systemefile.exe	190
PID 1048 set thread context of 652	1048	systemefile.exe	191
PID 2884 set thread context of 1904	2884	systemefile.exe	193
PID 2204 set thread context of 784	2204	systemefile.exe	196
PID 288 set thread context of 1980	288	systemefile.exe	200
PID 2212 set thread context of 2728	2212	systemefile.exe	203
PID 2948 set thread context of 2660	2948	systemefile.exe	204
PID 2648 set thread context of 2616	2648	systemefile.exe	208
PID 2740 set thread context of 2644	2740	systemefile.exe	211
PID 2572 set thread context of 2972	2572	systemefile.exe	217
PID 2588 set thread context of 1500	2588	systemefile.exe	222
PID 532 set thread context of 2364	532	systemefile.exe	223
PID 376 set thread context of 2748	376	systemefile.exe	226
PID 2924 set thread context of 2164	2924	systemefile.exe	237
PID 1956 set thread context of 288	1956	systemefile.exe	238
PID 1624 set thread context of 2752	1624	systemefile.exe	240
PID 1088 set thread context of 2796	1088	systemefile.exe	245
PID 2908 set thread context of 1656	2908	systemefile.exe	247
PID 2316 set thread context of 1620	2316	systemefile.exe	250
PID 2552 set thread context of 2272	2552	systemefile.exe	252
PID 1676 set thread context of 1732	1676	systemefile.exe	258
PID 1708 set thread context of 2912	1708	systemefile.exe	263
PID 2008 set thread context of 2932	2008	systemefile.exe	265
PID 2356 set thread context of 2868	2356	systemefile.exe	268

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2368-118-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/memory/2368-102-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/memory/2368-106-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/memory/2368-98-0x0000000000400000-0x000000000047F000-memory.dmp	upx

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemefile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemefile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemefile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemefile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemefile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemefile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemefile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemefile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemefile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemefile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemefile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemefile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

NTFS ADS 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File created	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File created	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	Process not Found
File created	C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe:ZoneIdentifier	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe:ZoneIdentifier	notepad.exe

Script User-Agent 25 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	27	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	61	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	97	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	22	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	30	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	57	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	79	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	93	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	17	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	13	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	40	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	53	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	70	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	83	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	89	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	110	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	9	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	115	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	44	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	49	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	64	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	76	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	101	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	106	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6
HTTP User-Agent header	35	WSHRAT\|78BB4A3F\|MXQFNXLT\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 24/12/2024\|JavaScript-v1.6

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2996	syststemfile.exe
2836	systemefile.exe
2748	systemfiles.exe
2596	systemefile.exe
2596	systemefile.exe
2248	Host.exe
344	systemstability.exe
2596	systemefile.exe
1696	systemstability.exe
1696	systemstability.exe
1920	systemefile.exe
2612	systemefile.exe
680	systemefile.exe
680	systemefile.exe
2196	systemefile.exe
2196	systemefile.exe
1696	systemstability.exe
680	systemefile.exe
2196	systemefile.exe
1696	systemstability.exe
680	systemefile.exe
2196	systemefile.exe
1696	systemstability.exe
680	systemefile.exe
2196	systemefile.exe
1696	systemstability.exe
680	systemefile.exe
2196	systemefile.exe
1696	systemstability.exe
680	systemefile.exe
2196	systemefile.exe
1696	systemstability.exe
680	systemefile.exe
2196	systemefile.exe
1696	systemstability.exe
680	systemefile.exe
2196	systemefile.exe
1696	systemstability.exe
680	systemefile.exe
2196	systemefile.exe
1696	systemstability.exe
680	systemefile.exe
2196	systemefile.exe
1696	systemstability.exe
680	systemefile.exe
2196	systemefile.exe
2068	systemefile.exe
1696	systemstability.exe
752	systemefile.exe
752	systemefile.exe
2196	systemefile.exe
2960	systemefile.exe
984	systemefile.exe
984	systemefile.exe
1696	systemstability.exe
876	systemefile.exe
2196	systemefile.exe
1696	systemstability.exe
2308	systemefile.exe
2308	systemefile.exe
2196	systemefile.exe
1572	systemefile.exe
2124	systemefile.exe
2124	systemefile.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2368	systemstability.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
2836	systemefile.exe
344	systemstability.exe
1920	systemefile.exe
2612	systemefile.exe
2068	systemefile.exe
2960	systemefile.exe
876	systemefile.exe
1572	systemefile.exe
2864	systemefile.exe
2536	systemefile.exe
2248	systemefile.exe
1732	systemefile.exe
2416	systemefile.exe
1996	systemefile.exe
1032	systemefile.exe
288	systemefile.exe
852	systemefile.exe
2320	systemefile.exe
2720	systemefile.exe
2212	systemefile.exe
1652	systemefile.exe
1872	systemefile.exe
3016	systemefile.exe
2992	systemefile.exe
2748	systemefile.exe
2576	systemefile.exe
2564	systemefile.exe
1620	systemefile.exe
1684	systemefile.exe
1256	systemefile.exe
1372	systemefile.exe
332	systemefile.exe
1904	systemefile.exe
2952	systemefile.exe
1980	systemefile.exe
1028	systemefile.exe
2780	systemefile.exe
2132	systemefile.exe
376	systemefile.exe
476	systemefile.exe
2008	systemefile.exe
1048	systemefile.exe
2884	systemefile.exe
2204	systemefile.exe
288	systemefile.exe
2212	systemefile.exe
2948	systemefile.exe
2648	systemefile.exe
2740	systemefile.exe
2572	systemefile.exe
2588	systemefile.exe
532	systemefile.exe
376	systemefile.exe
2924	systemefile.exe
1956	systemefile.exe
1624	systemefile.exe
1088	systemefile.exe
2908	systemefile.exe
2316	systemefile.exe
2552	systemefile.exe
1676	systemefile.exe
1708	systemefile.exe
2008	systemefile.exe
2356	systemefile.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	systemstability.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 2996	1880	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe	31
PID 1880 wrote to memory of 2996	1880	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe	31
PID 1880 wrote to memory of 2996	1880	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe	31
PID 1880 wrote to memory of 2996	1880	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe	31
PID 2996 wrote to memory of 2776	2996	syststemfile.exe	32
PID 2996 wrote to memory of 2776	2996	syststemfile.exe	32
PID 2996 wrote to memory of 2776	2996	syststemfile.exe	32
PID 2996 wrote to memory of 2776	2996	syststemfile.exe	32
PID 2996 wrote to memory of 2776	2996	syststemfile.exe	32
PID 2996 wrote to memory of 2776	2996	syststemfile.exe	32
PID 1880 wrote to memory of 2748	1880	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe	122
PID 1880 wrote to memory of 2748	1880	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe	122
PID 1880 wrote to memory of 2748	1880	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe	122
PID 1880 wrote to memory of 2748	1880	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe	122
PID 2776 wrote to memory of 2836	2776	notepad.exe	34
PID 2776 wrote to memory of 2836	2776	notepad.exe	34
PID 2776 wrote to memory of 2836	2776	notepad.exe	34
PID 2776 wrote to memory of 2836	2776	notepad.exe	34
PID 2836 wrote to memory of 2708	2836	systemefile.exe	35
PID 2836 wrote to memory of 2708	2836	systemefile.exe	35
PID 2836 wrote to memory of 2708	2836	systemefile.exe	35
PID 2836 wrote to memory of 2708	2836	systemefile.exe	35
PID 2836 wrote to memory of 2596	2836	systemefile.exe	36
PID 2836 wrote to memory of 2596	2836	systemefile.exe	36
PID 2836 wrote to memory of 2596	2836	systemefile.exe	36
PID 2836 wrote to memory of 2596	2836	systemefile.exe	36
PID 2748 wrote to memory of 2552	2748	systemfiles.exe	37
PID 2748 wrote to memory of 2552	2748	systemfiles.exe	37
PID 2748 wrote to memory of 2552	2748	systemfiles.exe	37
PID 2748 wrote to memory of 2552	2748	systemfiles.exe	37
PID 2748 wrote to memory of 2552	2748	systemfiles.exe	37
PID 2748 wrote to memory of 2552	2748	systemfiles.exe	37
PID 1880 wrote to memory of 2924	1880	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe	38
PID 1880 wrote to memory of 2924	1880	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe	38
PID 1880 wrote to memory of 2924	1880	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe	38
PID 1880 wrote to memory of 2924	1880	9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe	38
PID 2708 wrote to memory of 2248	2708	systemefile.exe	39
PID 2708 wrote to memory of 2248	2708	systemefile.exe	39
PID 2708 wrote to memory of 2248	2708	systemefile.exe	39
PID 2708 wrote to memory of 2248	2708	systemefile.exe	39
PID 2248 wrote to memory of 268	2248	Host.exe	40
PID 2248 wrote to memory of 268	2248	Host.exe	40
PID 2248 wrote to memory of 268	2248	Host.exe	40
PID 2248 wrote to memory of 268	2248	Host.exe	40
PID 2248 wrote to memory of 268	2248	Host.exe	40
PID 2248 wrote to memory of 268	2248	Host.exe	40
PID 2552 wrote to memory of 344	2552	notepad.exe	41
PID 2552 wrote to memory of 344	2552	notepad.exe	41
PID 2552 wrote to memory of 344	2552	notepad.exe	41
PID 2552 wrote to memory of 344	2552	notepad.exe	41
PID 344 wrote to memory of 2368	344	systemstability.exe	42
PID 344 wrote to memory of 2368	344	systemstability.exe	42
PID 344 wrote to memory of 2368	344	systemstability.exe	42
PID 344 wrote to memory of 2368	344	systemstability.exe	42
PID 344 wrote to memory of 1696	344	systemstability.exe	43
PID 344 wrote to memory of 1696	344	systemstability.exe	43
PID 344 wrote to memory of 1696	344	systemstability.exe	43
PID 344 wrote to memory of 1696	344	systemstability.exe	43
PID 2596 wrote to memory of 1920	2596	systemefile.exe	146
PID 2596 wrote to memory of 1920	2596	systemefile.exe	146
PID 2596 wrote to memory of 1920	2596	systemefile.exe	146
PID 2596 wrote to memory of 1920	2596	systemefile.exe	146
PID 268 wrote to memory of 2612	268	notepad.exe	45
PID 268 wrote to memory of 2612	268	notepad.exe	45

C:\Users\Admin\AppData\Local\Temp\9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe
"C:\Users\Admin\AppData\Local\Temp\9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\syststemfile.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\syststemfile.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\system32\notepad.exe"
    3⤵
    - Loads dropped DLL
    - NTFS ADS
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
      "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        7⤵
        Drops startup file
        Loads dropped DLL
        NTFS ADS
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2612
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:380
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 380 259450722
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2196
    - - C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2708 259450410
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        7⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1960 259450691
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:680
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2068
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        9⤵
        Executes dropped EXE
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2504 259451861
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:752
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2960
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        11⤵
        Executes dropped EXE
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2168 259451970
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:984
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:876
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        13⤵
        Executes dropped EXE
        
        PID:300
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 300 259452095
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1572
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2500
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        16⤵
        Executes dropped EXE
        
        PID:3036
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        17⤵
        Drops startup file
        Loads dropped DLL
        NTFS ADS
        
        PID:2944
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2536
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2700
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        20⤵
        Executes dropped EXE
        
        PID:2596
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        21⤵
        Drops startup file
        Loads dropped DLL
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:852
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        23⤵
        Executes dropped EXE
        
        PID:1524
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1524 259452844
        23⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        24⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:3016
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        25⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2224 259453031
        25⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        26⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2576
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        27⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2816 259453125
        27⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        28⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1372
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        29⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2012 259453234
        29⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        30⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2588
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        31⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        32⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        33⤵
        Drops startup file
        NTFS ADS
        
        PID:1572
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        34⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1676
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        35⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1732 259454841
        35⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        36⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        37⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2460 259455059
        37⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        38⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        39⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1152 259456604
        39⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        40⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        41⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3472 259461221
        41⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        42⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        43⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3828 259462890
        43⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3452 259464528
        45⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1500 259454342
        31⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        32⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        33⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1656 259454685
        33⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        34⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        35⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1416 259457118
        35⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        36⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        37⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        38⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        39⤵
        Drops startup file
        
        PID:3284
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        40⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        41⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3956 259459256
        41⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        42⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        43⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3384 259462547
        43⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4612 259464154
        45⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4008 259458429
        37⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        38⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        39⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3420 259458881
        39⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        40⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        41⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4092 259459271
        41⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        42⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        43⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3880 259459568
        43⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4000 259459926
        45⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        47⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3332 259461206
        47⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        48⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        49⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3736 259462922
        49⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        50⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        51⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3812 259464560
        51⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2700 259452563
        19⤵
        Executes dropped EXE
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1732
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        21⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2192 259452704
        21⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        23⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2112 259452953
        23⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        24⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        25⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1008 259453187
        25⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        26⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        27⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        28⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        29⤵
        Drops startup file
        
        PID:3252
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        30⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        31⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        33⤵
        NTFS ADS
        
        PID:3372
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        34⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        35⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        36⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        37⤵
        NTFS ADS
        
        PID:2484
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        38⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        39⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2608 259463031
        39⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        40⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        41⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1028 259464700
        41⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3772 259458990
        35⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        36⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        37⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3920 259461533
        37⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        38⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        39⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3784 259463249
        39⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        40⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        41⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3640 259458273
        31⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        32⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        33⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3436 259458788
        33⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        34⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        35⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3912 259459240
        35⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        36⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        37⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3936 259462532
        37⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        38⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        39⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4624 259464170
        39⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        40⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1700 259455543
        27⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        28⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        29⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3676 259458288
        29⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        30⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        31⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 876 259458632
        31⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        32⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        33⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3552 259462968
        33⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        34⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        35⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3768 259464622
        35⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2500 259452173
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2852
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        18⤵
        Executes dropped EXE
        
        PID:2812
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        19⤵
        Loads dropped DLL
        
        PID:2620
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        21⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2120 259452719
        21⤵
        Executes dropped EXE
        
        PID:2332
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        23⤵
        Executes dropped EXE
        
        PID:304
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 304 259452766
        23⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        25⤵
        Executes dropped EXE
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1496 259452875
        25⤵
        Executes dropped EXE
        
        PID:2164
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        26⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        27⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1480 259453000
        27⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        28⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2748
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        29⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2940 259453094
        29⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        30⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1256
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        31⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1076 259453234
        31⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        32⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1624
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        33⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        34⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        35⤵
        NTFS ADS
        
        PID:2132
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        36⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        37⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2992 259455075
        37⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        38⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        39⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2656 259456650
        39⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        40⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        41⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3992 259461237
        41⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        42⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        43⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3564 259462906
        43⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4176 259464544
        45⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2752 259454560
        33⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        34⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        35⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        36⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        37⤵
        Drops startup file
        NTFS ADS
        
        PID:2632
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        38⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        39⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2156 259455324
        39⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        40⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        41⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1164 259455683
        41⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        42⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        43⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2412 259456026
        43⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 916 259456510
        45⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        47⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 868 259461206
        47⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        48⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        49⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3260 259462875
        49⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        51⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3056 259464544
        51⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2932 259454934
        35⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        36⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        37⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1156 259455262
        37⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        38⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        39⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 640 259455465
        39⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        40⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        41⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1648 259457820
        41⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        42⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        43⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3340 259461190
        43⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3140 259462844
        45⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        47⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 5036 259464482
        47⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2852 259452423
        17⤵
        Executes dropped EXE
        
        PID:2576
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        20⤵
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        21⤵
        Drops startup file
        Loads dropped DLL
        NTFS ADS
        
        PID:2712
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:288
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        23⤵
        Executes dropped EXE
        
        PID:320
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 320 259452828
        23⤵
        Executes dropped EXE
        
        PID:1344
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        24⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1872
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        25⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1660 259453000
        25⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        26⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2564
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        27⤵
        Loads dropped DLL
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        28⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        29⤵
        Drops startup file
        Loads dropped DLL
        NTFS ADS
        
        PID:1624
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        30⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1904
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        31⤵
        Loads dropped DLL
        
        PID:2960
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        32⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        33⤵
        Drops startup file
        Loads dropped DLL
        NTFS ADS
        
        PID:1824
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        34⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2780
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        35⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        36⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        37⤵
        Loads dropped DLL
        NTFS ADS
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        38⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        39⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2660 259454108
        39⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        40⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        41⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        42⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        43⤵
        Drops startup file
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1128 259455964
        45⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        47⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 376 259456323
        47⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        48⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        49⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1256 259457820
        49⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        50⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        51⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3732 259461237
        51⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        52⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        53⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3600 259462922
        53⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        54⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        55⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1688 259464560
        55⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2584 259455371
        41⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        42⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        43⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2820 259455948
        43⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2632 259456307
        45⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        47⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2028 259457774
        47⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        48⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        49⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4076 259460925
        49⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        50⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        51⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3392 259462766
        51⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        52⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        53⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4912 259464388
        53⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2476 259453702
        35⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        36⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1048
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        37⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 652 259453952
        37⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        38⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        39⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        40⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        41⤵
        NTFS ADS
        
        PID:544
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        42⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        43⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2488 259456916
        43⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2864 259457072
        45⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        47⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3684 259458288
        47⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        48⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        49⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2928 259458569
        49⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        50⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        51⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        52⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        53⤵
        Drops startup file
        NTFS ADS
        
        PID:3448
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        54⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        55⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2484 259463358
        55⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        56⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        57⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3464 259460597
        51⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        52⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        53⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3120 259462875
        53⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        54⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        55⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4200 259464575
        55⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2616 259454139
        39⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        40⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1512 259456697
        41⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        42⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        43⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3528 259461424
        43⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3180 259463062
        45⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        47⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2996 259464684
        47⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2960 259453406
        31⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        32⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1028
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        33⤵
        Loads dropped DLL
        
        PID:2624
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        34⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        35⤵
        Loads dropped DLL
        NTFS ADS
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        36⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:376
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        37⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2548 259453842
        37⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        38⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:288
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        39⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        40⤵
        
        PID:788
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        41⤵
        Drops startup file
        NTFS ADS
        
        PID:2612
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        42⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1956
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        43⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 288 259454544
        43⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2552
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2272 259454732
        45⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        47⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1624 259455902
        47⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        48⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        49⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2064 259456494
        49⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        50⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        51⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3976 259461206
        51⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        52⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        53⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3580 259462844
        53⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        54⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        55⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 5068 259464482
        55⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1980 259454030
        39⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        40⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:376
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        41⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        42⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        43⤵
        NTFS ADS
        
        PID:2460
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1620 259454716
        45⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        47⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1984 259455980
        47⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        48⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        49⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        50⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        51⤵
        NTFS ADS
        
        PID:3280
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        52⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        53⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3720 259458288
        53⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        54⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        55⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2720 259458585
        55⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        56⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        57⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        58⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        59⤵
        Drops startup file
        NTFS ADS
        
        PID:3944
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        60⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        61⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2704 259462298
        61⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        62⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        63⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4360 259463967
        63⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        64⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2572 259460082
        57⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        58⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        59⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3896 259461689
        59⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        60⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        61⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2336 259463343
        61⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        62⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        63⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 532 259456479
        49⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        50⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        51⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3404 259458148
        51⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        52⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        53⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1724 259458585
        53⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        54⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        55⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3724 259460660
        55⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        56⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        57⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2772 259462422
        57⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        58⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        59⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4424 259464045
        59⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        60⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2748 259454357
        41⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        42⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1088
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        43⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2796 259454669
        43⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        46⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        47⤵
        Drops startup file
        NTFS ADS
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        48⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        49⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        51⤵
        NTFS ADS
        
        PID:2756
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        52⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        53⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        54⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        55⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        56⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        57⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2556 259459412
        57⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        58⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        59⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3996 259459942
        59⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        60⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        61⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3116 259461315
        61⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        62⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        63⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3848 259463031
        63⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        64⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        65⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3940 259464653
        65⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1612 259457384
        53⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        54⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        55⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        56⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        57⤵
        Drops startup file
        NTFS ADS
        
        PID:3996
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        58⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        59⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3876 259459552
        59⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        60⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        61⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3304 259460082
        61⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        62⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        63⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1484 259461424
        63⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        64⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        65⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2712 259463078
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        66⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        67⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1344 259464747
        67⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3776 259458990
        55⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        56⤵
        
        PID:492
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        57⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3208 259459334
        57⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        58⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        59⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3668 259459458
        59⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        61⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2596 259460004
        61⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        63⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2576 259461330
        63⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        64⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        65⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3780 259463015
        65⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        66⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        67⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2612 259464653
        67⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3000 259456900
        49⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        50⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        51⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2668 259457274
        51⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        52⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        53⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 332 259458616
        53⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        54⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        55⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3236 259461206
        55⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        56⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        57⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3524 259462875
        57⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        58⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        59⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 752 259464544
        59⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2000 259456089
        45⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        47⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2620 259456744
        47⤵
        
        PID:296
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        48⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        49⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2832 259460894
        49⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        50⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        51⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3252 259462750
        51⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        52⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        53⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4904 259464372
        53⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        54⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2624 259453577
        33⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        34⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2132
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        35⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1788 259453749
        35⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        36⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2884
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        37⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1904 259453967
        37⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        38⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        39⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2728 259454092
        39⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        40⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        41⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1424 259455449
        41⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        42⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        43⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        44⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        45⤵
        NTFS ADS
        
        PID:1608
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        47⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3324 259463187
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        48⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        49⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3112 259457945
        43⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4024 259461518
        45⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        47⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4004 259463218
        47⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        49⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        50⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3008 259453125
        27⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        28⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:332
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        29⤵
        Loads dropped DLL
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        30⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        31⤵
        Drops startup file
        Loads dropped DLL
        
        PID:2104
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        32⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1980
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        33⤵
        Loads dropped DLL
        
        PID:2904
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        34⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        35⤵
        Drops startup file
        Loads dropped DLL
        NTFS ADS
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        36⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:476
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        37⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2520 259453842
        37⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        38⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        39⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        40⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        41⤵
        Drops startup file
        
        PID:2132
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        42⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2924
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        43⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        44⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        45⤵
        Drops startup file
        NTFS ADS
        
        PID:1800
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        47⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1604 259455075
        47⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        48⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        49⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 680 259456666
        49⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        50⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        51⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3204 259461424
        51⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        52⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        53⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4016 259463093
        53⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        54⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        55⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3488 259464747
        55⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2164 259454529
        43⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2912 259454903
        45⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        47⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        48⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        49⤵
        Drops startup file
        NTFS ADS
        
        PID:888
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        50⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        51⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2948 259455356
        51⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        52⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        53⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        54⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        55⤵
        Drops startup file
        NTFS ADS
        
        PID:2692
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        56⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        57⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2208 259456292
        57⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        58⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        59⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2248 259457742
        59⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        60⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        61⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3608 259460894
        61⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        62⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        63⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1600 259462719
        63⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        64⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        65⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4856 259464357
        65⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        66⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1012 259455652
        53⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        54⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        55⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3016 259456229
        55⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        56⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        57⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        58⤵
        
        PID:820
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        59⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        60⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        61⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3840 259458335
        61⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        62⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2648 259458585
        63⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        64⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        65⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3884 259460831
        65⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        66⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        67⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2800 259462485
        67⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        68⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        69⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4580 259464138
        69⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        70⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2116 259457649
        57⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        58⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        59⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3300 259458070
        59⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        60⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        61⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3624 259458257
        61⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        62⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        63⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3104 259458600
        63⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        64⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        65⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3748 259459864
        65⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        66⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        67⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4072 259461206
        67⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        68⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        69⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2564 259462859
        69⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        70⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        71⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3556 259464544
        71⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2868 259454966
        47⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        48⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        49⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1572 259455184
        49⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        50⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        51⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2872 259455418
        51⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        52⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        53⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        54⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        55⤵
        Drops startup file
        NTFS ADS
        
        PID:3604
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        56⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        57⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1868 259463202
        57⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        58⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        59⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3084 259457930
        53⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        54⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        55⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3160 259461549
        55⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        56⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        57⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1708 259463218
        57⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        58⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        59⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 784 259453998
        39⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        40⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2572
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        41⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2972 259454279
        41⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        42⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:532
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        43⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        45⤵
        Drops startup file
        
        PID:2268
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        47⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2836 259455855
        47⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        48⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        49⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1816 259456260
        49⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        50⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        51⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 824 259457805
        51⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        52⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        53⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3412 259461424
        53⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        54⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        55⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3804 259463046
        55⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        56⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        57⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1800 259464716
        57⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2364 259454342
        43⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2952 259455792
        45⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        47⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        48⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        49⤵
        Drops startup file
        
        PID:2680
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        50⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        51⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2592 259456947
        51⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        52⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        53⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2760 259457134
        53⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        54⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        55⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2600 259458600
        55⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        56⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        57⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4020 259460020
        57⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        58⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        59⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3500 259461346
        59⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        60⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        61⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3152 259463046
        61⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        62⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        63⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4492 259464747
        63⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1728 259456089
        47⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        48⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        49⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2908 259456635
        49⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        50⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        51⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3272 259461440
        51⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        52⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        53⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1372 259463109
        53⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        54⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2904 259453546
        33⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        34⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        35⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1988 259453764
        35⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        36⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        37⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2068 259453952
        37⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        38⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2740
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        39⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2644 259454170
        39⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        40⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        41⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2372 259455356
        41⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        42⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        43⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2240 259455714
        43⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1032 259456058
        45⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        47⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2740 259456416
        47⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        48⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        49⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3480 259460909
        49⤵
        
        PID:296
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        50⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        51⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3536 259462656
        51⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        52⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        53⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4744 259464294
        53⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        54⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1920 259453312
        29⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        30⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        31⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        32⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        33⤵
        Drops startup file
        NTFS ADS
        
        PID:2536
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        34⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        35⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2416 259457087
        35⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        36⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        37⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2124 259458538
        37⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        38⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        39⤵
        
        PID:492
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 492 259459911
        39⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        40⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        41⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2964 259461206
        41⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        42⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        43⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3288 259462875
        43⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4184 259464560
        45⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3028 259453499
        31⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        32⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        33⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        34⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        35⤵
        Drops startup file
        
        PID:2376
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        36⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        37⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        38⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        39⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        40⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        41⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        42⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        43⤵
        Drops startup file
        NTFS ADS
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3344 259463202
        45⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        47⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        48⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        49⤵
        NTFS ADS
        
        PID:4112
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1048 259457742
        41⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        42⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        43⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3296 259461424
        43⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3636 259463093
        45⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        47⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4516 259464747
        47⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1088 259457321
        37⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        38⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        39⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2588 259457540
        39⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        40⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        41⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3076 259457945
        41⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        42⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        43⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3132 259461221
        43⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3124 259462875
        45⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        47⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2172 259464544
        47⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1676 259456978
        33⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        34⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        35⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        36⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        37⤵
        Drops startup file
        NTFS ADS
        
        PID:1868
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        38⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        39⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2732 259457477
        39⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        40⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        41⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2332 259457774
        41⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        42⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        43⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3372 259460909
        43⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3960 259462656
        45⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        47⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4736 259464294
        47⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        48⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 448 259457196
        35⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        36⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        37⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        38⤵
        
        PID:708
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        39⤵
        Drops startup file
        
        PID:3376
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        40⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        41⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2444 259458850
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:3844
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        42⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        43⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        44⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        45⤵
        Drops startup file
        
        PID:3224
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        47⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1652 259459568
        47⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        48⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        49⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4056 259459802
        49⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        50⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        51⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3596 259460894
        51⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        52⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        53⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2280 259462703
        53⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        54⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        55⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4872 259464357
        55⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        56⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3924 259459131
        43⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3376 259459427
        45⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        47⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3932 259459630
        47⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        48⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        49⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3312 259460816
        49⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        50⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        51⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 976 259462454
        51⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        52⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        53⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4540 259464092
        53⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        54⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2884 259457415
        37⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        38⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        39⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3692 259458834
        39⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        40⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        41⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3972 259459193
        41⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        43⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3224 259462563
        43⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        44⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        45⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4668 259464216
        45⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        46⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2604 259452594
        19⤵
        Executes dropped EXE
        
        PID:2736
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1032
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        21⤵
        Executes dropped EXE
        
        PID:1356
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1356 259452782
        21⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        23⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2384 259452906
        23⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        24⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:2992
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        25⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3036 259453016
        25⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        26⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        27⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1900 259453218
        27⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        28⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        29⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2008 259455824
        29⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        30⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        31⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 1956 259456276
        31⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        32⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        33⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2376 259457836
        33⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        34⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        35⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 3156 259461034
        35⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        36⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        37⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 2936 259462781
        37⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        38⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe"
        39⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemefile.exe" 2 4936 259464404
        39⤵
        
        PID:1684
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\systemfiles.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\systemfiles.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\system32\notepad.exe"
    3⤵
    - Drops startup file
    - Loads dropped DLL
    - NTFS ADS
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe
      "C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:344
    - - C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe"
        5⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
    - - C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe
        
        "C:\Users\Admin\AppData\Roaming\appdata\systemstability.exe" 2 2368 259450598
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1696
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\systemfiles878.js"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:2924
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lfQEWRrrdw.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:2804
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\systemfiles878.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:800
  - - C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lfQEWRrrdw.js"
      4⤵
      PID:1688

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\systemfiles878.js

Filesize
385KB

MD5
327faf02e528e6e356fc2e92fd8c1d3e

SHA1
550f1188d669145900135c0300630deebcfadf23

SHA256
03849d530ff832cdb13c5d8dd62772575f3f6c56c7cccf5ecd333d5ea27e6efb

SHA512
a23ee3b5fd140fea5b025676b2bebe9e1efb7ac8b836c83d57e3695a185c3dc676cfd444acd34116239679515fa45de3a5cd639eb5c3991d880d323a1ad56281

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemfiles.vbs

Filesize
148B

MD5
6b17a5baf42e2eced60b40326f06d539

SHA1
7e9f1a9d9f83e89cea6eb1442c2a70dfaa9d94a3

SHA256
4dcd87ba10ee62cea3f021b7d91ed36240e9c64d3218bfaf942e1677695cc411

SHA512
13a02f02088552997c07545fae4d2f0f35490398cc5e46e662c4041bdd905cd65b2e00dd957e369f31d6e020d38978ed3ca9525529c0782badf742a6b00ea651

Download Submit
C:\Users\Admin\AppData\Roaming\lfQEWRrrdw.js

Filesize
44KB

MD5
45f5c927b03df5996b42c0eab0e0f7c7

SHA1
a6e990d3c7bc1e94a1c8fd96674ba818f7e0b83e

SHA256
4fe7a0c1b20ae55003849f7de12b0756434b956676d02fbff06daa9c8d85b0f5

SHA512
4716fc8e7485698d9c4c6c6a52c64fef13e737a935ed4d9fb84e31c1e3a403d6f21cfc64f4910e7bbd38275ecafa15a456044ab68f3471d722585decf04077e9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\systemfiles.exe

Filesize
992KB

MD5
ceb6128a4a0dae23a13dbc714f482ecf

SHA1
fdcac72c933cabc746e21b08c28386fd5cc879be

SHA256
3e7e6c0c683f38597cc9ae71a41b4faec31e07e6244693d4d8e2dfda99e02225

SHA512
0048a91e94854587be92929e11562b69852f32b6e4646ae8342149ff94241f69de5ce9bda43f0102e94e38c417abd341dbcb384261299f955ecc7a4c13a54e1f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\syststemfile.exe

Filesize
936KB

MD5
a99f34d26fb92545294088aea2850fc2

SHA1
a6d438fc7dc71a5d7cc92076c35604d16147fa1d

SHA256
bb7c29be3684dce97f70dd79c7900955cdb9409c668e195defa5fa2b9a8174aa

SHA512
9bccec87b7597998d3182dfcbc50100fbcfd54524103aff52ea6a13528274c1751c8a550c209fdf25f34b63a306ae4036799fc87f970d0e32f8e62c27e8875fc

Download Submit
memory/300-182-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/344-101-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/680-160-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/752-167-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/876-179-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/984-176-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1572-186-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1920-126-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1960-157-0x0000000000430000-0x00000000005B1000-memory.dmp

Filesize
1.5MB

Download
memory/1960-124-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1960-158-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2068-166-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2124-202-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2168-174-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2248-83-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2308-184-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2368-106-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2368-1658-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2368-102-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2368-98-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2368-118-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2368-107-0x00000000003B0000-0x00000000003E8000-memory.dmp

Filesize
224KB

Download
memory/2500-195-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2500-194-0x0000000000430000-0x000000000050F000-memory.dmp

Filesize
892KB

Download
memory/2504-165-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2596-104-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2612-132-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2708-78-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2708-66-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2708-58-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2748-67-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2776-44-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2776-25-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2812-223-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2836-62-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2852-213-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2864-206-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2960-171-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2996-23-0x0000000000290000-0x000000000029C000-memory.dmp

Filesize
48KB

Download
memory/2996-27-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2996-22-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2996-24-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/3036-201-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download