44caliber | 952ad6a684a3c4bbc00494926a933c68707b80ead10eab3f096d252d9d054e9a

Analysis

max time kernel
99s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2025, 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperNew.exe
Size

11.8MB
MD5

00bf4984f80c066ce8f4ecaa93c337bb
SHA1

4662aa890e8a64ead9b9f5b5129fae3ca0c5b60e
SHA256

952ad6a684a3c4bbc00494926a933c68707b80ead10eab3f096d252d9d054e9a
SHA512

f716f2675fa5d506e9d220dea8555c9133af43149fdfb484eaa5f1456446aea15faae78e4dd2162a27e7bf22cee95a369a8e299117ebb1d7627a178b0909799e
SSDEEP

196608:WboBI6F8e90gAT7Mad+xxaCSoh3Buv+6tA56+wDHBV7NeHExxX:Wb4P4T7MTxkC1Sv+UA58DHLi

Score

10^/10

44caliber njrat ???defense_evasion discovery execution persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

???

pack-amber.gl.at.ply.gg:6863

Mutex

48226f5e709c2b0a3d3ef2e30ef7bca8

Attributes

reg_key
48226f5e709c2b0a3d3ef2e30ef7bca8
splitter
|'|'|

Extracted

Family

44caliber

https://discord.com/api/webhooks/1324859273448128522/35NX8pTWSAG9BYKMS0plx5Cvuvs_8H5JGZj2A702Gn1FEZ64KTjaAl3gNKdJNc1eYdeY

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
44Caliber family
44caliber
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4664	powershell.exe
4904	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5276	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	drivEn346.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	sqls715.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\48226f5e709c2b0a3d3ef2e30ef7bca8.exe	Svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\48226f5e709c2b0a3d3ef2e30ef7bca8.exe	Svchost.exe

Executes dropped EXE 64 IoCs

pid	Process
2100	winlogon.exe
2176	sqls346.exe
532	drivEn346.exe
4248	sqls715.exe
5072	drivEn715.exe
6016	Svchost.exe
3872	Svchost.exe
3336	Svchost.exe
2040	Svchost.exe
1372	Svchost.exe
4672	Svchost.exe
5300	Svchost.exe
4756	Svchost.exe
4928	Svchost.exe
2364	Svchost.exe
4904	Svchost.exe
2012	Svchost.exe
2168	Svchost.exe
1712	Svchost.exe
3352	Svchost.exe
1812	Svchost.exe
372	Svchost.exe
4276	Svchost.exe
4420	Svchost.exe
1428	Svchost.exe
3508	Svchost.exe
3400	Svchost.exe
628	Svchost.exe
208	Svchost.exe
5288	Svchost.exe
2492	Svchost.exe
4980	Svchost.exe
5324	Svchost.exe
4388	Svchost.exe
4012	Svchost.exe
4664	Svchost.exe
1820	Svchost.exe
5124	Svchost.exe
1668	Svchost.exe
1672	Svchost.exe
5696	Svchost.exe
3624	Svchost.exe
4752	Svchost.exe
3892	Svchost.exe
2376	Svchost.exe
2676	Svchost.exe
1428	Svchost.exe
2108	Svchost.exe
808	Svchost.exe
5340	Svchost.exe
3644	Svchost.exe
4192	Svchost.exe
4588	Svchost.exe
5524	Svchost.exe
1544	Svchost.exe
4968	Svchost.exe
2448	Svchost.exe
4412	Svchost.exe
5140	Svchost.exe
4276	Svchost.exe
2276	Svchost.exe
6040	Svchost.exe
4808	Svchost.exe
5720	Svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\48226f5e709c2b0a3d3ef2e30ef7bca8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.exe\" .."	Svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\48226f5e709c2b0a3d3ef2e30ef7bca8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.exe\" .."	Svchost.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	freegeoip.app
30	freegeoip.app

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	F:\autorun.inf	Svchost.exe
File opened for modification	F:\autorun.inf	Svchost.exe
File created	C:\autorun.inf	Svchost.exe
File opened for modification	C:\autorun.inf	Svchost.exe
File created	D:\autorun.inf	Svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\CONFIG	sqls346.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4664	powershell.exe
4664	powershell.exe
4904	powershell.exe
4904	powershell.exe
5072	drivEn715.exe
5072	drivEn715.exe
5072	drivEn715.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe
6016	Svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6016	Svchost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	BootstrapperNew.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	2100	winlogon.exe
Token: SeDebugPrivilege	5072	drivEn715.exe
Token: SeDebugPrivilege	6016	Svchost.exe
Token: 33	6016	Svchost.exe
Token: SeIncBasePriorityPrivilege	6016	Svchost.exe
Token: 33	6016	Svchost.exe
Token: SeIncBasePriorityPrivilege	6016	Svchost.exe
Token: 33	6016	Svchost.exe
Token: SeIncBasePriorityPrivilege	6016	Svchost.exe
Token: 33	6016	Svchost.exe
Token: SeIncBasePriorityPrivilege	6016	Svchost.exe
Token: 33	6016	Svchost.exe
Token: SeIncBasePriorityPrivilege	6016	Svchost.exe
Token: 33	6016	Svchost.exe
Token: SeIncBasePriorityPrivilege	6016	Svchost.exe
Token: 33	6016	Svchost.exe
Token: SeIncBasePriorityPrivilege	6016	Svchost.exe
Token: 33	6016	Svchost.exe
Token: SeIncBasePriorityPrivilege	6016	Svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 4664	1032	BootstrapperNew.exe	91
PID 1032 wrote to memory of 4664	1032	BootstrapperNew.exe	91
PID 1032 wrote to memory of 4904	1032	BootstrapperNew.exe	95
PID 1032 wrote to memory of 4904	1032	BootstrapperNew.exe	95
PID 2100 wrote to memory of 2176	2100	winlogon.exe	101
PID 2100 wrote to memory of 2176	2100	winlogon.exe	101
PID 2100 wrote to memory of 532	2100	winlogon.exe	102
PID 2100 wrote to memory of 532	2100	winlogon.exe	102
PID 532 wrote to memory of 4248	532	drivEn346.exe	103
PID 532 wrote to memory of 4248	532	drivEn346.exe	103
PID 532 wrote to memory of 4248	532	drivEn346.exe	103
PID 532 wrote to memory of 5072	532	drivEn346.exe	104
PID 532 wrote to memory of 5072	532	drivEn346.exe	104
PID 4248 wrote to memory of 6016	4248	sqls715.exe	112
PID 4248 wrote to memory of 6016	4248	sqls715.exe	112
PID 4248 wrote to memory of 6016	4248	sqls715.exe	112
PID 6016 wrote to memory of 5276	6016	Svchost.exe	114
PID 6016 wrote to memory of 5276	6016	Svchost.exe	114
PID 6016 wrote to memory of 5276	6016	Svchost.exe	114
PID 5140 wrote to memory of 3872	5140	cmd.exe	120
PID 5140 wrote to memory of 3872	5140	cmd.exe	120
PID 5140 wrote to memory of 3872	5140	cmd.exe	120
PID 5164 wrote to memory of 3336	5164	cmd.exe	121
PID 5164 wrote to memory of 3336	5164	cmd.exe	121
PID 5164 wrote to memory of 3336	5164	cmd.exe	121
PID 1564 wrote to memory of 2040	1564	cmd.exe	126
PID 1564 wrote to memory of 2040	1564	cmd.exe	126
PID 1564 wrote to memory of 2040	1564	cmd.exe	126
PID 4156 wrote to memory of 1372	4156	cmd.exe	127
PID 4156 wrote to memory of 1372	4156	cmd.exe	127
PID 4156 wrote to memory of 1372	4156	cmd.exe	127
PID 2244 wrote to memory of 4672	2244	cmd.exe	133
PID 2244 wrote to memory of 4672	2244	cmd.exe	133
PID 2244 wrote to memory of 4672	2244	cmd.exe	133
PID 5992 wrote to memory of 5300	5992	cmd.exe	132
PID 5992 wrote to memory of 5300	5992	cmd.exe	132
PID 5992 wrote to memory of 5300	5992	cmd.exe	132
PID 1680 wrote to memory of 4756	1680	cmd.exe	139
PID 1680 wrote to memory of 4756	1680	cmd.exe	139
PID 1680 wrote to memory of 4756	1680	cmd.exe	139
PID 5008 wrote to memory of 4928	5008	cmd.exe	140
PID 5008 wrote to memory of 4928	5008	cmd.exe	140
PID 5008 wrote to memory of 4928	5008	cmd.exe	140
PID 400 wrote to memory of 2364	400	cmd.exe	145
PID 400 wrote to memory of 2364	400	cmd.exe	145
PID 400 wrote to memory of 2364	400	cmd.exe	145
PID 6116 wrote to memory of 4904	6116	cmd.exe	146
PID 6116 wrote to memory of 4904	6116	cmd.exe	146
PID 6116 wrote to memory of 4904	6116	cmd.exe	146
PID 3388 wrote to memory of 2012	3388	cmd.exe	151
PID 3388 wrote to memory of 2012	3388	cmd.exe	151
PID 3388 wrote to memory of 2012	3388	cmd.exe	151
PID 684 wrote to memory of 2168	684	cmd.exe	152
PID 684 wrote to memory of 2168	684	cmd.exe	152
PID 684 wrote to memory of 2168	684	cmd.exe	152
PID 4404 wrote to memory of 3352	4404	cmd.exe	157
PID 4404 wrote to memory of 3352	4404	cmd.exe	157
PID 4404 wrote to memory of 3352	4404	cmd.exe	157
PID 4204 wrote to memory of 1712	4204	cmd.exe	158
PID 4204 wrote to memory of 1712	4204	cmd.exe	158
PID 4204 wrote to memory of 1712	4204	cmd.exe	158
PID 3652 wrote to memory of 1812	3652	cmd.exe	165
PID 3652 wrote to memory of 1812	3652	cmd.exe	165
PID 3652 wrote to memory of 1812	3652	cmd.exe	165

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4904

C:\Users\Admin\AppData\Local\Temp\winlogon.exe
C:\Users\Admin\AppData\Local\Temp\winlogon.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\sqls346.exe
  "C:\Users\Admin\AppData\Local\Temp\sqls346.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2176
- C:\Users\Admin\AppData\Local\Temp\drivEn346.exe
  "C:\Users\Admin\AppData\Local\Temp\drivEn346.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Users\Admin\AppData\Local\Temp\sqls715.exe
    "C:\Users\Admin\AppData\Local\Temp\sqls715.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4248
  - - C:\Users\Admin\AppData\Local\Temp\Svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\Svchost.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops autorun.inf file
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:6016
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" "Svchost.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:5276
- - C:\Users\Admin\AppData\Local\Temp\drivEn715.exe
    "C:\Users\Admin\AppData\Local\Temp\drivEn715.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:5140
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:5164
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:3336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:5992
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:6116
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:684
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:1920
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4056
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4080
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:1328
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4480
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5012
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2272
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5508
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:5288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:1988
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5412
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4016
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5680
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5008
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:5324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:6064
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2664
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2088
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:400
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:1372
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5252
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:1980
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5652
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3492
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3468
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5072
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5292
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3348
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:2108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3440
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3984
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:6056
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4944
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5160
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5796
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2748
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:1952
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5660
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:6084
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5604
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3888
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5216
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3088
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:1112
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4496
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5460
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - Executes dropped EXE
  PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:1636
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3480
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5024
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3548
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5412
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5920
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:3108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5180
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4976
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3976
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5080
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5404
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2984
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5712
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:1728
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:6076
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5332
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5660
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5952
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4340
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5424
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4056
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5868
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:2108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4512
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3560
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2436
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4780
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3484
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4576
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4380
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5912
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5616
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4980
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5700
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5280
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5048
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3936
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4768
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:436
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:1456
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2012
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:2068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:1312
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5936
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:6076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3372
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3068
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2888
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:1476
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4744
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:6064
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:544
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4776
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5820
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4512
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4404
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5928
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4220
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4152
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4608
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4204
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3512
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2492
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5208
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5012
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5144
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5404
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2088
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:880
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:1732
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2424
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2356
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5088
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4348
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4732
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4548
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4340
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4664
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:544
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5692
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2284
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3400
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5024
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5796
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3148
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:708
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3368
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2932
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5172
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5260
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4284
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5076
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4148
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4752
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3056
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:1060
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5816
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4652
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5528
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:6116
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2168
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4904
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4936
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5916
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3504
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3480
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5168
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:3356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4116
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2184
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4168
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5368
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:6072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5188
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2976
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3032
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2592
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:1544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4992
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4152
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5644
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5360
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2692
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4524
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2444
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3984
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4844
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2960
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3848
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5204
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:3308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5040
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4488
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4064
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2788
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5660
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4684
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:1452
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4860
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4720
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4984
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5164
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5308
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5352
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5708
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4596
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2808
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5712
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:1068
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:6080
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4940
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:1712
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4276
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2492
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:1436
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4844
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2668
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4996
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5696
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4692
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5024
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3592
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3556
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:2908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2676
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:1708
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5532
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3496
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:180
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5800
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5620
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3784
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5412
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:2976
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4656
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:4004
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:1424
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5644
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5144
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3236
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:5256
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Svchost.exe" ..
1⤵
PID:3224
- C:\Users\Admin\AppData\Local\Temp\Svchost.exe
  C:\Users\Admin\AppData\Local\Temp\Svchost.exe ..
  2⤵
  PID:4012

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Svchost.exe.log

Filesize
319B

MD5
da4fafeffe21b7cb3a8c170ca7911976

SHA1
50ef77e2451ab60f93f4db88325b897d215be5ad

SHA256
7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

SHA512
0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0c56ba5098c530bbd1cdb28d50090d39

SHA1
ff63178ea722ec2db118c81051bf85544fb6b316

SHA256
0299d374c4b984cb0475284b966dfbe8bb08e45b93dabdf327f96a60b05273d1

SHA512
cbbf27ac30e55f4df35ae5aae50d1a2f9475dc2ac0eecf9ce0ab19adef606fff08c26d0eef5686012d36566551179afe09b15c1da1840415b1696f76324a03f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dvsdjpda.y3t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\drivEn346.exe

Filesize
932KB

MD5
018ac987ca65c1b3735fb6547cbdec89

SHA1
8527fdff802dcbfc7cb2553af57481ec296c2616

SHA256
3d8c4e0c94d374bbe89ff1525d2af5cd4bb72c593dc9b3561eb7c0ed8edf7187

SHA512
7d53443b9fd661cb72e62bd68d353c604038449e7df8235b409b94dca35459863015304a29c0bc245ce6f1c47ad521c66f483844d17e432d0bbdf6444bbcbabf

Download Submit
C:\Users\Admin\AppData\Local\Temp\drivEn715.exe

Filesize
303KB

MD5
c1bd28d151c9557fc0b441f864c7b3d0

SHA1
330ba588d809c8908468178b548afc6ed26fb91a

SHA256
a9136c89f82063ae8f594293fd8738c407eb551c00b04ff147e1e58fbdbab422

SHA512
8126a8741988df068c23911eea05eb28a57222587a3f9a722aed497da89981012c7cc44ff0b51f7d9436b536b1468403ac0276b153d70ee85ec0d77d4045a1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqls346.exe

Filesize
3.4MB

MD5
07b2ed9af56f55a999156738b17848df

SHA1
960e507c0ef860080b573c4e11a76328c8831d08

SHA256
73427b83bd00a8745e5182d2cdb3727e654ae9af5e42befc45903027f6606597

SHA512
3a982d1130b41e6c01943eee7fa546c3da95360afdad03bff434b9211201c80f22bd8bf79d065180010bc0659ee1e71febbfd750320d95811ee26a54ee1b34c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqls715.exe

Filesize
41KB

MD5
e7fd7e6b1c211977a7eebc813ae30eb6

SHA1
71aa162721fe79e8083cebe30014151cb688d783

SHA256
e65fc3d18d01825666ffadde232ab009cb99643b40b1b9d1b5f28a36890534c5

SHA512
c82010ec6aca4d55c9c49934c04f2af72519fcc792980873781265e17a9954c340526c162e030750da048d384e109529a64513d27aafab8bd5b04a90d71a9bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlogon.exe

Filesize
11.8MB

MD5
00bf4984f80c066ce8f4ecaa93c337bb

SHA1
4662aa890e8a64ead9b9f5b5129fae3ca0c5b60e

SHA256
952ad6a684a3c4bbc00494926a933c68707b80ead10eab3f096d252d9d054e9a

SHA512
f716f2675fa5d506e9d220dea8555c9133af43149fdfb484eaa5f1456446aea15faae78e4dd2162a27e7bf22cee95a369a8e299117ebb1d7627a178b0909799e

Download Submit
memory/1032-0-0x00007FF835CB3000-0x00007FF835CB5000-memory.dmp

Filesize
8KB

Download
memory/1032-1-0x0000000000080000-0x0000000000C46000-memory.dmp

Filesize
11.8MB

Download
memory/1032-32-0x00007FF835CB3000-0x00007FF835CB5000-memory.dmp

Filesize
8KB

Download
memory/1032-33-0x00007FF835CB0000-0x00007FF836771000-memory.dmp

Filesize
10.8MB

Download
memory/1032-37-0x00007FF835CB0000-0x00007FF836771000-memory.dmp

Filesize
10.8MB

Download
memory/2100-38-0x000000001BA50000-0x000000001C5E4000-memory.dmp

Filesize
11.6MB

Download
memory/2176-114-0x0000020757350000-0x000002075735A000-memory.dmp

Filesize
40KB

Download
memory/2176-118-0x00000207573E0000-0x00000207573EA000-memory.dmp

Filesize
40KB

Download
memory/2176-61-0x00000207388D0000-0x0000020738C40000-memory.dmp

Filesize
3.4MB

Download
memory/2176-119-0x0000020757360000-0x000002075736A000-memory.dmp

Filesize
40KB

Download
memory/2176-120-0x0000020757B30000-0x0000020757B38000-memory.dmp

Filesize
32KB

Download
memory/2176-115-0x00000207573B0000-0x00000207573D6000-memory.dmp

Filesize
152KB

Download
memory/2176-83-0x0000020739000000-0x0000020739010000-memory.dmp

Filesize
64KB

Download
memory/2176-110-0x00000207572F0000-0x00000207572F8000-memory.dmp

Filesize
32KB

Download
memory/2176-112-0x0000020757340000-0x000002075734E000-memory.dmp

Filesize
56KB

Download
memory/2176-111-0x0000020757370000-0x00000207573A8000-memory.dmp

Filesize
224KB

Download
memory/2176-116-0x00000207573F0000-0x00000207573F8000-memory.dmp

Filesize
32KB

Download
memory/2176-113-0x0000020757A00000-0x0000020757B00000-memory.dmp

Filesize
1024KB

Download
memory/2176-117-0x0000020757B00000-0x0000020757B16000-memory.dmp

Filesize
88KB

Download
memory/4664-12-0x00007FF835CB0000-0x00007FF836771000-memory.dmp

Filesize
10.8MB

Download
memory/4664-17-0x00007FF835CB0000-0x00007FF836771000-memory.dmp

Filesize
10.8MB

Download
memory/4664-7-0x0000028E68110000-0x0000028E68132000-memory.dmp

Filesize
136KB

Download
memory/4664-13-0x00007FF835CB0000-0x00007FF836771000-memory.dmp

Filesize
10.8MB

Download
memory/4664-14-0x00007FF835CB0000-0x00007FF836771000-memory.dmp

Filesize
10.8MB

Download
memory/5072-82-0x000001D04C640000-0x000001D04C692000-memory.dmp

Filesize
328KB

Download