glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

Target

Setup (1).exe
Size

631KB
MD5

cb927513ff8ebff4dd52a47f7e42f934
SHA1

0de47c02a8adc4940a6c18621b4e4a619641d029
SHA256

fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
SHA512

988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c

Score

10^/10

glupteba metasploit redline smokeloader vidar mybirja spspectr backdoor discovery dropper evasion infostealer loader persistence spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

mybirja

45.14.49.232:63850

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

spspectr

135.148.139.222:1494

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4172-290-0x0000000004320000-0x0000000004C46000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5236 5016 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5236	5016	rundll32.exe

RedLine Payload 17 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Documents\f3B2g28_3Stjm8TFs3o9q1ry.exe	family_redline
C:\Users\Admin\Documents\f3B2g28_3Stjm8TFs3o9q1ry.exe	family_redline
behavioral1/memory/3564-321-0x0000000000000000-mapping.dmp	family_redline
behavioral1/memory/3564-324-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/2964-386-0x0000000000000000-mapping.dmp	family_redline
behavioral1/memory/2316-374-0x0000000000000000-mapping.dmp	family_redline
behavioral1/memory/3388-421-0x0000000000000000-mapping.dmp	family_redline
behavioral1/memory/5008-423-0x0000000000000000-mapping.dmp	family_redline
behavioral1/memory/3688-464-0x0000000000000000-mapping.dmp	family_redline
behavioral1/memory/4780-470-0x0000000000000000-mapping.dmp	family_redline
behavioral1/memory/3904-514-0x0000000000000000-mapping.dmp	family_redline
behavioral1/memory/5304-525-0x0000000000000000-mapping.dmp	family_redline
behavioral1/memory/6116-603-0x0000000000000000-mapping.dmp	family_redline
behavioral1/memory/4968-589-0x0000000000000000-mapping.dmp	family_redline
behavioral1/memory/5932-565-0x0000000000000000-mapping.dmp	family_redline
behavioral1/memory/5904-562-0x0000000000000000-mapping.dmp	family_redline
behavioral1/memory/5596-627-0x0000000000000000-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 49 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeExfJL0iepDHErPA4LGeIYb8a.exeWerFault.exeWerFault.exe7ihstUdeCB5f0aEH12WYsnS4.exeWerFault.exeWerFault.exeWerFault.exePuDPaDWx1Obqt8PXF9O4wMHS.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exePuDPaDWx1Obqt8PXF9O4wMHS.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeExfJL0iepDHErPA4LGeIYb8a.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe7ihstUdeCB5f0aEH12WYsnS4.exeWerFault.exeExfJL0iepDHErPA4LGeIYb8a.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 2912 created 852	2912	WerFault.exe	a7eOQ8m89hLkZ5wCj3YCri3d.exe
PID 3316 created 1216	3316	WerFault.exe	m2vmfr9COhWqMWWi3vDoqOTM.exe
PID 2992 created 1684	2992	WerFault.exe	tF64MzVNDIE05lc6awRgEYS1.exe
PID 3212 created 4172	3212	WerFault.exe	rDeAVHDGKY2eD1nsRAoQfdiJ.exe
PID 4120 created 72	4120	WerFault.exe	Ax2HRrsbWkooC1V4G82ZKYMW.exe
PID 5596 created 5328	5596	ExfJL0iepDHErPA4LGeIYb8a.exe	rundll32.exe
PID 6468 created 2164	6468	WerFault.exe	2561948.exe
PID 4528 created 4400	4528	WerFault.exe	6950613.exe
PID 6892 created 6160	6892	7ihstUdeCB5f0aEH12WYsnS4.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
PID 6720 created 6352	6720	WerFault.exe	DC96.exe
PID 5648 created 3364	5648	WerFault.exe	explorer.exe
PID 3604 created 1312	3604	WerFault.exe	Spadille.exe
PID 7428 created 5412	7428	PuDPaDWx1Obqt8PXF9O4wMHS.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 7272 created 8172	7272	WerFault.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 4208 created 1948	4208	WerFault.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 7048 created 7136	7048	WerFault.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 6364 created 8516	6364	WerFault.exe	Spadille.exe
PID 9804 created 9324	9804	WerFault.exe	Spadille.exe
PID 2440 created 10192	2440	WerFault.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
PID 9656 created 10104	9656	WerFault.exe	Spadille.exe
PID 5836 created 6180	5836	WerFault.exe
PID 10368 created 4468	10368	WerFault.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 10536 created 10268	10536	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 10992 created 10528	10992	WerFault.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 10320 created 3892	10320	WerFault.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 10056 created 5380	10056	WerFault.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 4068 created 10192	4068	WerFault.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
PID 11248 created 9232	11248	WerFault.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 10516 created 8548	10516	WerFault.exe	Spadille.exe
PID 8896 created 2460	8896		7ihstUdeCB5f0aEH12WYsnS4.exe
PID 6352 created 1316	6352	ExfJL0iepDHErPA4LGeIYb8a.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 10724 created 3516	10724	WerFault.exe	Spadille.exe
PID 11588 created 7108	11588	WerFault.exe
PID 6928 created 3900	6928	WerFault.exe
PID 11948 created 10432	11948	WerFault.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 1920 created 8444	1920		Spadille.exe
PID 8512 created 11368	8512		Spadille.exe
PID 4212 created 6488	4212	7ihstUdeCB5f0aEH12WYsnS4.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 12268 created 11816	12268	WerFault.exe
PID 11364 created 10892	11364	ExfJL0iepDHErPA4LGeIYb8a.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 8724 created 13196	8724	WerFault.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 10376 created 13212	10376	WerFault.exe	Spadille.exe
PID 12684 created 13300	12684	WerFault.exe	Spadille.exe
PID 6744 created 11968	6744	WerFault.exe	Spadille.exe
PID 14500 created 3564	14500	WerFault.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 13268 created 10460	13268	WerFault.exe
PID 14468 created 12176	14468	WerFault.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 2760 created 7108	2760	WerFault.exe
PID 15608 created 16136	15608	WerFault.exe

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/852-238-0x0000000003AF0000-0x0000000003BC3000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 64 IoCs

Processes:

3RqBW1ka8RCC720E906VxNCE.exetF64MzVNDIE05lc6awRgEYS1.exem0FtYtoSqXjXUtg_q4kj3hI1.exerDeAVHDGKY2eD1nsRAoQfdiJ.exebEKUaoPXRmsP0GUxjAhtU1go.exe5TsadmFnX7OpL3zXzhKI7DFF.exe7ihstUdeCB5f0aEH12WYsnS4.exef3B2g28_3Stjm8TFs3o9q1ry.exeAEMRncQyeA2ekoDxo_pyq3Xk.exeA_M463DjscNmdT9jVUu2ZFu7.exea7eOQ8m89hLkZ5wCj3YCri3d.exeAx2HRrsbWkooC1V4G82ZKYMW.exexNq5nNtnxYQvV8QjxQwaEvG3.exeFKQN9l3E4mxMOwo5TLPHHTxl.exeExfJL0iepDHErPA4LGeIYb8a.exe1JJC9YsEjrHhAOXnk1Vw1QTX.exem2vmfr9COhWqMWWi3vDoqOTM.exeLtsPlQqIfinOfr_kXSW7IlfZ.exePuDPaDWx1Obqt8PXF9O4wMHS.exembbZP9KWocu9s5ib2Rj2zb7A.exetWHQWs7dpX5KErvsHd65jzTm.exeSRFqOBJvWdXZF5hr1EG7hjub.exeqbleFXEHQDURxBIu_BagU88B.executm3.exeSRFqOBJvWdXZF5hr1EG7hjub.tmpmd8_8eus.exeinst1.exetWHQWs7dpX5KErvsHd65jzTm.exe1645906.exe7ihstUdeCB5f0aEH12WYsnS4.exePuDPaDWx1Obqt8PXF9O4wMHS.exeAEMRncQyeA2ekoDxo_pyq3Xk.exe2561948.exeExfJL0iepDHErPA4LGeIYb8a.exeSpadille.exePuDPaDWx1Obqt8PXF9O4wMHS.exe7ihstUdeCB5f0aEH12WYsnS4.exe8337570.exe4856436.exeExfJL0iepDHErPA4LGeIYb8a.exe6950613.exe7ihstUdeCB5f0aEH12WYsnS4.exePuDPaDWx1Obqt8PXF9O4wMHS.exeExfJL0iepDHErPA4LGeIYb8a.exeExfJL0iepDHErPA4LGeIYb8a.exeSpadille.exePuDPaDWx1Obqt8PXF9O4wMHS.exe7ihstUdeCB5f0aEH12WYsnS4.exe9840432e051a6fa1192594db02b80a4c1fd73456.exeWinHoster.exePuDPaDWx1Obqt8PXF9O4wMHS.exeExfJL0iepDHErPA4LGeIYb8a.exe7ihstUdeCB5f0aEH12WYsnS4.exePuDPaDWx1Obqt8PXF9O4wMHS.exeExfJL0iepDHErPA4LGeIYb8a.exeSpadille.exe7ihstUdeCB5f0aEH12WYsnS4.exeExfJL0iepDHErPA4LGeIYb8a.exePuDPaDWx1Obqt8PXF9O4wMHS.exebEKUaoPXRmsP0GUxjAhtU1go.exebEKUaoPXRmsP0GUxjAhtU1go.exeSpadille.exe7ihstUdeCB5f0aEH12WYsnS4.exe

pid	process
1192	3RqBW1ka8RCC720E906VxNCE.exe
1684	tF64MzVNDIE05lc6awRgEYS1.exe
1408	m0FtYtoSqXjXUtg_q4kj3hI1.exe
4172	rDeAVHDGKY2eD1nsRAoQfdiJ.exe
4904	bEKUaoPXRmsP0GUxjAhtU1go.exe
4040	5TsadmFnX7OpL3zXzhKI7DFF.exe
2480	7ihstUdeCB5f0aEH12WYsnS4.exe
588	f3B2g28_3Stjm8TFs3o9q1ry.exe
676	AEMRncQyeA2ekoDxo_pyq3Xk.exe
4936	A_M463DjscNmdT9jVUu2ZFu7.exe
852	a7eOQ8m89hLkZ5wCj3YCri3d.exe
72	Ax2HRrsbWkooC1V4G82ZKYMW.exe
344	xNq5nNtnxYQvV8QjxQwaEvG3.exe
1180	FKQN9l3E4mxMOwo5TLPHHTxl.exe
912	ExfJL0iepDHErPA4LGeIYb8a.exe
1344	1JJC9YsEjrHhAOXnk1Vw1QTX.exe
1216	m2vmfr9COhWqMWWi3vDoqOTM.exe
1424	LtsPlQqIfinOfr_kXSW7IlfZ.exe
1464	PuDPaDWx1Obqt8PXF9O4wMHS.exe
1620	mbbZP9KWocu9s5ib2Rj2zb7A.exe
2240	tWHQWs7dpX5KErvsHd65jzTm.exe
2996	SRFqOBJvWdXZF5hr1EG7hjub.exe
2036	qbleFXEHQDURxBIu_BagU88B.exe
3424	cutm3.exe
4752	SRFqOBJvWdXZF5hr1EG7hjub.tmp
5040	md8_8eus.exe
4512	inst1.exe
4344	tWHQWs7dpX5KErvsHd65jzTm.exe
4192	1645906.exe
3564	7ihstUdeCB5f0aEH12WYsnS4.exe
4884	PuDPaDWx1Obqt8PXF9O4wMHS.exe
4504	AEMRncQyeA2ekoDxo_pyq3Xk.exe
2164	2561948.exe
2316	ExfJL0iepDHErPA4LGeIYb8a.exe
4192	1645906.exe
4272	Spadille.exe
780	PuDPaDWx1Obqt8PXF9O4wMHS.exe
2964	7ihstUdeCB5f0aEH12WYsnS4.exe
1180	8337570.exe
2476	4856436.exe
4964	ExfJL0iepDHErPA4LGeIYb8a.exe
4400	6950613.exe
5008	7ihstUdeCB5f0aEH12WYsnS4.exe
3388	PuDPaDWx1Obqt8PXF9O4wMHS.exe
2456	ExfJL0iepDHErPA4LGeIYb8a.exe
3688	ExfJL0iepDHErPA4LGeIYb8a.exe
792	Spadille.exe
2312	PuDPaDWx1Obqt8PXF9O4wMHS.exe
4780	7ihstUdeCB5f0aEH12WYsnS4.exe
5168	9840432e051a6fa1192594db02b80a4c1fd73456.exe
5736	WinHoster.exe
5200	PuDPaDWx1Obqt8PXF9O4wMHS.exe
3904	ExfJL0iepDHErPA4LGeIYb8a.exe
5304	7ihstUdeCB5f0aEH12WYsnS4.exe
5904	PuDPaDWx1Obqt8PXF9O4wMHS.exe
5932	ExfJL0iepDHErPA4LGeIYb8a.exe
4968	Spadille.exe
6116	7ihstUdeCB5f0aEH12WYsnS4.exe
5596	ExfJL0iepDHErPA4LGeIYb8a.exe
5720	PuDPaDWx1Obqt8PXF9O4wMHS.exe
5868	bEKUaoPXRmsP0GUxjAhtU1go.exe
4348	bEKUaoPXRmsP0GUxjAhtU1go.exe
5988	Spadille.exe
3444	7ihstUdeCB5f0aEH12WYsnS4.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

xNq5nNtnxYQvV8QjxQwaEvG3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	xNq5nNtnxYQvV8QjxQwaEvG3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	xNq5nNtnxYQvV8QjxQwaEvG3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Loads dropped DLL 7 IoCs

Processes:

SRFqOBJvWdXZF5hr1EG7hjub.tmprundll32.exerundll32.exe9840432e051a6fa1192594db02b80a4c1fd73456.exe

pid	process
4752	SRFqOBJvWdXZF5hr1EG7hjub.tmp
4752	SRFqOBJvWdXZF5hr1EG7hjub.tmp
5328	rundll32.exe
5608	rundll32.exe
5168	9840432e051a6fa1192594db02b80a4c1fd73456.exe
5168	9840432e051a6fa1192594db02b80a4c1fd73456.exe
5168	9840432e051a6fa1192594db02b80a4c1fd73456.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Documents\mbbZP9KWocu9s5ib2Rj2zb7A.exe	themida
C:\Users\Admin\Documents\xNq5nNtnxYQvV8QjxQwaEvG3.exe	themida
C:\Users\Admin\Documents\xNq5nNtnxYQvV8QjxQwaEvG3.exe	themida
C:\Users\Admin\Documents\mbbZP9KWocu9s5ib2Rj2zb7A.exe	themida
behavioral1/memory/344-314-0x0000000000980000-0x0000000000981000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1645906.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	1645906.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5"	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

xNq5nNtnxYQvV8QjxQwaEvG3.exemd8_8eus.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xNq5nNtnxYQvV8QjxQwaEvG3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md8_8eus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

103 ipinfo.io
3 ipinfo.io
28 ipinfo.io
58 ip-api.com
92 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

xNq5nNtnxYQvV8QjxQwaEvG3.exe3E4F.exe

pid process

344 xNq5nNtnxYQvV8QjxQwaEvG3.exe
1620
2988 3E4F.exe
2988 3E4F.exe
2988 3E4F.exe

flow	ioc
103	ipinfo.io
3	ipinfo.io
28	ipinfo.io
58	ip-api.com
92	ipinfo.io

pid	process
344	xNq5nNtnxYQvV8QjxQwaEvG3.exe
1620
2988	3E4F.exe
2988	3E4F.exe
2988	3E4F.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

7ihstUdeCB5f0aEH12WYsnS4.exeAEMRncQyeA2ekoDxo_pyq3Xk.exeExfJL0iepDHErPA4LGeIYb8a.exePuDPaDWx1Obqt8PXF9O4wMHS.exeSpadille.exebEKUaoPXRmsP0GUxjAhtU1go.exeLtsPlQqIfinOfr_kXSW7IlfZ.exe3RqBW1ka8RCC720E906VxNCE.exe

description	pid	process	target process
PID 2480 set thread context of 3564	2480	7ihstUdeCB5f0aEH12WYsnS4.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
PID 676 set thread context of 4504	676	AEMRncQyeA2ekoDxo_pyq3Xk.exe	AEMRncQyeA2ekoDxo_pyq3Xk.exe
PID 912 set thread context of 2316	912	ExfJL0iepDHErPA4LGeIYb8a.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 2480 set thread context of 2964	2480	7ihstUdeCB5f0aEH12WYsnS4.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
PID 1464 set thread context of 3388	1464	PuDPaDWx1Obqt8PXF9O4wMHS.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 2480 set thread context of 5008	2480	7ihstUdeCB5f0aEH12WYsnS4.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
PID 912 set thread context of 3688	912	ExfJL0iepDHErPA4LGeIYb8a.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 2480 set thread context of 4780	2480	7ihstUdeCB5f0aEH12WYsnS4.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
PID 912 set thread context of 3904	912	ExfJL0iepDHErPA4LGeIYb8a.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 2480 set thread context of 5304	2480	7ihstUdeCB5f0aEH12WYsnS4.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
PID 1464 set thread context of 5904	1464	PuDPaDWx1Obqt8PXF9O4wMHS.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 912 set thread context of 5932	912	ExfJL0iepDHErPA4LGeIYb8a.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 792 set thread context of 4968	792	Spadille.exe	Spadille.exe
PID 2480 set thread context of 6116	2480	7ihstUdeCB5f0aEH12WYsnS4.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
PID 912 set thread context of 5596	912	ExfJL0iepDHErPA4LGeIYb8a.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 1464 set thread context of 5720	1464	PuDPaDWx1Obqt8PXF9O4wMHS.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 4904 set thread context of 4348	4904	bEKUaoPXRmsP0GUxjAhtU1go.exe	bEKUaoPXRmsP0GUxjAhtU1go.exe
PID 792 set thread context of 5988	792	Spadille.exe	Spadille.exe
PID 2480 set thread context of 3444	2480	7ihstUdeCB5f0aEH12WYsnS4.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
PID 1464 set thread context of 5832	1464	PuDPaDWx1Obqt8PXF9O4wMHS.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 792 set thread context of 5960	792	Spadille.exe	Spadille.exe
PID 2480 set thread context of 2268	2480	7ihstUdeCB5f0aEH12WYsnS4.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
PID 912 set thread context of 4340	912	ExfJL0iepDHErPA4LGeIYb8a.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 1464 set thread context of 5144	1464	PuDPaDWx1Obqt8PXF9O4wMHS.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 792 set thread context of 4156	792	Spadille.exe	Spadille.exe
PID 2480 set thread context of 4936	2480	7ihstUdeCB5f0aEH12WYsnS4.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
PID 912 set thread context of 2456	912	ExfJL0iepDHErPA4LGeIYb8a.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 792 set thread context of 4672	792	Spadille.exe	Spadille.exe
PID 1464 set thread context of 3272	1464	PuDPaDWx1Obqt8PXF9O4wMHS.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 2480 set thread context of 6296	2480	7ihstUdeCB5f0aEH12WYsnS4.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
PID 912 set thread context of 6448	912	ExfJL0iepDHErPA4LGeIYb8a.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 1464 set thread context of 6668	1464	PuDPaDWx1Obqt8PXF9O4wMHS.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 792 set thread context of 6584	792	Spadille.exe	Spadille.exe
PID 2480 set thread context of 7028	2480	7ihstUdeCB5f0aEH12WYsnS4.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
PID 912 set thread context of 6188	912	ExfJL0iepDHErPA4LGeIYb8a.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 1464 set thread context of 6248	1464	PuDPaDWx1Obqt8PXF9O4wMHS.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 1424 set thread context of 7096	1424	LtsPlQqIfinOfr_kXSW7IlfZ.exe	LtsPlQqIfinOfr_kXSW7IlfZ.exe
PID 792 set thread context of 6608	792	Spadille.exe	Spadille.exe
PID 2480 set thread context of 6920	2480	7ihstUdeCB5f0aEH12WYsnS4.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
PID 1192 set thread context of 6728	1192	3RqBW1ka8RCC720E906VxNCE.exe	explorer.exe
PID 792 set thread context of 3992	792	Spadille.exe	Spadille.exe
PID 2480 set thread context of 6500	2480	7ihstUdeCB5f0aEH12WYsnS4.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
PID 1464 set thread context of 4112	1464	PuDPaDWx1Obqt8PXF9O4wMHS.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 792 set thread context of 6508	792	Spadille.exe	Spadille.exe
PID 2480 set thread context of 6160	2480	7ihstUdeCB5f0aEH12WYsnS4.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
PID 1464 set thread context of 3076	1464	PuDPaDWx1Obqt8PXF9O4wMHS.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 912 set thread context of 6348	912	ExfJL0iepDHErPA4LGeIYb8a.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 2480 set thread context of 7160	2480	7ihstUdeCB5f0aEH12WYsnS4.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
PID 792 set thread context of 5996	792	Spadille.exe	Spadille.exe
PID 1464 set thread context of 2100	1464	PuDPaDWx1Obqt8PXF9O4wMHS.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 912 set thread context of 6472	912	ExfJL0iepDHErPA4LGeIYb8a.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 1464 set thread context of 3856	1464	PuDPaDWx1Obqt8PXF9O4wMHS.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 912 set thread context of 2372	912	ExfJL0iepDHErPA4LGeIYb8a.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 792 set thread context of 4272	792	Spadille.exe	Spadille.exe
PID 2480 set thread context of 4700	2480	7ihstUdeCB5f0aEH12WYsnS4.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
PID 1464 set thread context of 5024	1464	PuDPaDWx1Obqt8PXF9O4wMHS.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 912 set thread context of 4008	912	ExfJL0iepDHErPA4LGeIYb8a.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 792 set thread context of 4308	792	Spadille.exe	Spadille.exe
PID 1464 set thread context of 3140	1464	PuDPaDWx1Obqt8PXF9O4wMHS.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 912 set thread context of 3828	912	ExfJL0iepDHErPA4LGeIYb8a.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 2480 set thread context of 1056	2480	7ihstUdeCB5f0aEH12WYsnS4.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
PID 912 set thread context of 5504	912	ExfJL0iepDHErPA4LGeIYb8a.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 792 set thread context of 6980	792	Spadille.exe	Spadille.exe
PID 1464 set thread context of 436	1464	PuDPaDWx1Obqt8PXF9O4wMHS.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe

Drops file in Program Files directory 18 IoCs

Processes:

8337570.exeExfJL0iepDHErPA4LGeIYb8a.exe1JJC9YsEjrHhAOXnk1Vw1QTX.exemd8_8eus.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	8337570.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	8337570.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\Visit.url	ExfJL0iepDHErPA4LGeIYb8a.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst1.exe	1JJC9YsEjrHhAOXnk1Vw1QTX.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	1JJC9YsEjrHhAOXnk1Vw1QTX.exe
File created	C:\Program Files (x86)\SmartPDF\SmartPDF\Uninstall.ini	ExfJL0iepDHErPA4LGeIYb8a.exe
File created	C:\Program Files (x86)\Company\NewProduct\d	md8_8eus.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d.INTEG.RAW	md8_8eus.exe
File created	C:\Program Files (x86)\Company\NewProduct\tmp.edb	md8_8eus.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d.jfm	md8_8eus.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	1JJC9YsEjrHhAOXnk1Vw1QTX.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d	md8_8eus.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	1JJC9YsEjrHhAOXnk1Vw1QTX.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\Uninstall.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
File created	C:\Program Files (x86)\Company\NewProduct\d.jfm	md8_8eus.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	1JJC9YsEjrHhAOXnk1Vw1QTX.exe

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
940	1216	WerFault.exe	m2vmfr9COhWqMWWi3vDoqOTM.exe
2956	1684	WerFault.exe	tF64MzVNDIE05lc6awRgEYS1.exe
2656	852	WerFault.exe	a7eOQ8m89hLkZ5wCj3YCri3d.exe
672	4172	WerFault.exe	rDeAVHDGKY2eD1nsRAoQfdiJ.exe
1536	72	WerFault.exe	Ax2HRrsbWkooC1V4G82ZKYMW.exe
5752	5328	WerFault.exe	rundll32.exe
6312	2164	WerFault.exe	2561948.exe
6356	4400	WerFault.exe	6950613.exe
3864	6160	WerFault.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
4632	6352	WerFault.exe	DC96.exe
1104	3364	WerFault.exe	explorer.exe
6752	1312	WerFault.exe	Spadille.exe
1428	5412	WerFault.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
488	8172	WerFault.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
5752	1948	WerFault.exe	Spadille.exe
7980	7136	WerFault.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
512	8516	WerFault.exe	Spadille.exe
9856	9324	WerFault.exe	Spadille.exe
9768	10192	WerFault.exe	Spadille.exe
9752	10104	WerFault.exe	Spadille.exe
8484	6180	WerFault.exe	Spadille.exe
10432	4468	WerFault.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
10552	10268	WerFault.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
11112	10528	WerFault.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
6056	3892	WerFault.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
9912	5380	WerFault.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
5972	10192	WerFault.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
11224	9232	WerFault.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
8552	8548	WerFault.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
7184	2460	WerFault.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
10120	1316	WerFault.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
9872	3516	WerFault.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
11648	7108	WerFault.exe	Spadille.exe
7500	3900	WerFault.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
8808	10432	WerFault.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
6076	8444	WerFault.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
11560	11368	WerFault.exe	Spadille.exe
11356	6488	WerFault.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
3164	11816	WerFault.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
5612	10892	WerFault.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
12812	13196	WerFault.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
4072	13212	WerFault.exe	Spadille.exe
11664	13300	WerFault.exe	Spadille.exe
13424	11968	WerFault.exe	Spadille.exe
6492	3564	WerFault.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
13444	10460	WerFault.exe	7ihstUdeCB5f0aEH12WYsnS4.exe
13652	12176	WerFault.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
12600	7108	WerFault.exe	ExfJL0iepDHErPA4LGeIYb8a.exe
15808	16136	WerFault.exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
17696	17872
1064	18184
17248	8776
17000	11800
17636	11320
16100	14736
12172	13668
8860	1480
10716	13396
9428	16412
512	10568
13480	16392
9504	1056
14460	12376
11512	11700

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AEMRncQyeA2ekoDxo_pyq3Xk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AEMRncQyeA2ekoDxo_pyq3Xk.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AEMRncQyeA2ekoDxo_pyq3Xk.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AEMRncQyeA2ekoDxo_pyq3Xk.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeSpadille.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeExfJL0iepDHErPA4LGeIYb8a.exeSpadille.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exePuDPaDWx1Obqt8PXF9O4wMHS.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeSpadille.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Spadille.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Spadille.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ExfJL0iepDHErPA4LGeIYb8a.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Spadille.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PuDPaDWx1Obqt8PXF9O4wMHS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	Spadille.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2852 schtasks.exe
732 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5852 timeout.exe

pid	process
2852	schtasks.exe
732	schtasks.exe

pid	process
5852	timeout.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeExfJL0iepDHErPA4LGeIYb8a.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeExfJL0iepDHErPA4LGeIYb8a.exeWerFault.exeWerFault.exeWerFault.exeExfJL0iepDHErPA4LGeIYb8a.exeSpadille.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeSpadille.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exePuDPaDWx1Obqt8PXF9O4wMHS.exeWerFault.exeWerFault.exeWerFault.exemsedge.exeWerFault.exeWerFault.exeSpadille.exeWerFault.exeWerFault.exePuDPaDWx1Obqt8PXF9O4wMHS.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ExfJL0iepDHErPA4LGeIYb8a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ExfJL0iepDHErPA4LGeIYb8a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ExfJL0iepDHErPA4LGeIYb8a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Spadille.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Spadille.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ExfJL0iepDHErPA4LGeIYb8a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ExfJL0iepDHErPA4LGeIYb8a.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Spadille.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	PuDPaDWx1Obqt8PXF9O4wMHS.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ExfJL0iepDHErPA4LGeIYb8a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	PuDPaDWx1Obqt8PXF9O4wMHS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Spadille.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Spadille.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	PuDPaDWx1Obqt8PXF9O4wMHS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

416 taskkill.exe

pid	process
416	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe

Modifies registry class 5 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	97	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	110	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup (1).exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeAEMRncQyeA2ekoDxo_pyq3Xk.exeWerFault.exe

pid	process
4324	Setup (1).exe
4324	Setup (1).exe
2956	WerFault.exe
2956	WerFault.exe
940	WerFault.exe
940	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
672	WerFault.exe
672	WerFault.exe
4504	AEMRncQyeA2ekoDxo_pyq3Xk.exe
4504	AEMRncQyeA2ekoDxo_pyq3Xk.exe
1536	WerFault.exe
1536	WerFault.exe
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3256

pid	process
3256

Suspicious behavior: MapViewOfSection 43 IoCs

Processes:

AEMRncQyeA2ekoDxo_pyq3Xk.exeexplorer.exe

pid	process
4504	AEMRncQyeA2ekoDxo_pyq3Xk.exe
3256
3256
3256
3256
3256
3256
3256
3256
6728	explorer.exe
6728	explorer.exe
6728	explorer.exe
6728	explorer.exe
3256
3256
6728	explorer.exe
6728	explorer.exe
6728	explorer.exe
6728	explorer.exe
3256
3256
6728	explorer.exe
6728	explorer.exe
3256
3256
6728	explorer.exe
6728	explorer.exe
6728	explorer.exe
6728	explorer.exe
6728	explorer.exe
6728	explorer.exe
3256
3256
3256
3256
6728	explorer.exe
6728	explorer.exe
6728	explorer.exe
6728	explorer.exe
6728	explorer.exe
6728	explorer.exe
6728	explorer.exe
6728	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

A_M463DjscNmdT9jVUu2ZFu7.exeqbleFXEHQDURxBIu_BagU88B.exeWerFault.exeWerFault.exetaskkill.exe2561948.exe6950613.exef3B2g28_3Stjm8TFs3o9q1ry.exexNq5nNtnxYQvV8QjxQwaEvG3.exebEKUaoPXRmsP0GUxjAhtU1go.exe

description	pid	process
Token: SeDebugPrivilege	4936	A_M463DjscNmdT9jVUu2ZFu7.exe
Token: SeDebugPrivilege	2036	qbleFXEHQDURxBIu_BagU88B.exe
Token: SeRestorePrivilege	940	WerFault.exe
Token: SeBackupPrivilege	940	WerFault.exe
Token: SeRestorePrivilege	2956	WerFault.exe
Token: SeBackupPrivilege	2956	WerFault.exe
Token: SeRestorePrivilege	940	WerFault.exe
Token: SeBackupPrivilege	940	WerFault.exe
Token: SeBackupPrivilege	940	WerFault.exe
Token: SeDebugPrivilege	416	taskkill.exe
Token: SeDebugPrivilege	2164	2561948.exe
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeDebugPrivilege	4400	6950613.exe
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeDebugPrivilege	588	f3B2g28_3Stjm8TFs3o9q1ry.exe
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeDebugPrivilege	344	xNq5nNtnxYQvV8QjxQwaEvG3.exe
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeDebugPrivilege	1620
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeDebugPrivilege	4904	bEKUaoPXRmsP0GUxjAhtU1go.exe
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

SRFqOBJvWdXZF5hr1EG7hjub.tmpmsedge.exe

pid process

4752 SRFqOBJvWdXZF5hr1EG7hjub.tmp
1796 msedge.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

D3BC.exe3E4F.exe

pid process

7144 D3BC.exe
2988 3E4F.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3256

pid	process
7144	D3BC.exe
2988	3E4F.exe

pid	process
3256

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup (1).exe

description	pid	process	target process
PID 4324 wrote to memory of 1192	4324	Setup (1).exe	3RqBW1ka8RCC720E906VxNCE.exe
PID 4324 wrote to memory of 1192	4324	Setup (1).exe	3RqBW1ka8RCC720E906VxNCE.exe
PID 4324 wrote to memory of 1192	4324	Setup (1).exe	3RqBW1ka8RCC720E906VxNCE.exe
PID 4324 wrote to memory of 1684	4324	Setup (1).exe	tF64MzVNDIE05lc6awRgEYS1.exe
PID 4324 wrote to memory of 1684	4324	Setup (1).exe	tF64MzVNDIE05lc6awRgEYS1.exe
PID 4324 wrote to memory of 1684	4324	Setup (1).exe	tF64MzVNDIE05lc6awRgEYS1.exe
PID 4324 wrote to memory of 1408	4324	Setup (1).exe	m0FtYtoSqXjXUtg_q4kj3hI1.exe
PID 4324 wrote to memory of 1408	4324	Setup (1).exe	m0FtYtoSqXjXUtg_q4kj3hI1.exe
PID 4324 wrote to memory of 4904	4324	Setup (1).exe	bEKUaoPXRmsP0GUxjAhtU1go.exe
PID 4324 wrote to memory of 4904	4324	Setup (1).exe	bEKUaoPXRmsP0GUxjAhtU1go.exe
PID 4324 wrote to memory of 4904	4324	Setup (1).exe	bEKUaoPXRmsP0GUxjAhtU1go.exe
PID 4324 wrote to memory of 4172	4324	Setup (1).exe	rDeAVHDGKY2eD1nsRAoQfdiJ.exe
PID 4324 wrote to memory of 4172	4324	Setup (1).exe	rDeAVHDGKY2eD1nsRAoQfdiJ.exe
PID 4324 wrote to memory of 4172	4324	Setup (1).exe	rDeAVHDGKY2eD1nsRAoQfdiJ.exe
PID 4324 wrote to memory of 4040	4324	Setup (1).exe	5TsadmFnX7OpL3zXzhKI7DFF.exe
PID 4324 wrote to memory of 4040	4324	Setup (1).exe	5TsadmFnX7OpL3zXzhKI7DFF.exe
PID 4324 wrote to memory of 4040	4324	Setup (1).exe	5TsadmFnX7OpL3zXzhKI7DFF.exe
PID 4324 wrote to memory of 2480	4324	Setup (1).exe	7ihstUdeCB5f0aEH12WYsnS4.exe
PID 4324 wrote to memory of 2480	4324	Setup (1).exe	7ihstUdeCB5f0aEH12WYsnS4.exe
PID 4324 wrote to memory of 2480	4324	Setup (1).exe	7ihstUdeCB5f0aEH12WYsnS4.exe
PID 4324 wrote to memory of 588	4324	Setup (1).exe	f3B2g28_3Stjm8TFs3o9q1ry.exe
PID 4324 wrote to memory of 588	4324	Setup (1).exe	f3B2g28_3Stjm8TFs3o9q1ry.exe
PID 4324 wrote to memory of 588	4324	Setup (1).exe	f3B2g28_3Stjm8TFs3o9q1ry.exe
PID 4324 wrote to memory of 676	4324	Setup (1).exe	AEMRncQyeA2ekoDxo_pyq3Xk.exe
PID 4324 wrote to memory of 676	4324	Setup (1).exe	AEMRncQyeA2ekoDxo_pyq3Xk.exe
PID 4324 wrote to memory of 676	4324	Setup (1).exe	AEMRncQyeA2ekoDxo_pyq3Xk.exe
PID 4324 wrote to memory of 4936	4324	Setup (1).exe	A_M463DjscNmdT9jVUu2ZFu7.exe
PID 4324 wrote to memory of 4936	4324	Setup (1).exe	A_M463DjscNmdT9jVUu2ZFu7.exe
PID 4324 wrote to memory of 852	4324	Setup (1).exe	a7eOQ8m89hLkZ5wCj3YCri3d.exe
PID 4324 wrote to memory of 852	4324	Setup (1).exe	a7eOQ8m89hLkZ5wCj3YCri3d.exe
PID 4324 wrote to memory of 852	4324	Setup (1).exe	a7eOQ8m89hLkZ5wCj3YCri3d.exe
PID 4324 wrote to memory of 72	4324	Setup (1).exe	Ax2HRrsbWkooC1V4G82ZKYMW.exe
PID 4324 wrote to memory of 72	4324	Setup (1).exe	Ax2HRrsbWkooC1V4G82ZKYMW.exe
PID 4324 wrote to memory of 72	4324	Setup (1).exe	Ax2HRrsbWkooC1V4G82ZKYMW.exe
PID 4324 wrote to memory of 344	4324	Setup (1).exe	xNq5nNtnxYQvV8QjxQwaEvG3.exe
PID 4324 wrote to memory of 344	4324	Setup (1).exe	xNq5nNtnxYQvV8QjxQwaEvG3.exe
PID 4324 wrote to memory of 344	4324	Setup (1).exe	xNq5nNtnxYQvV8QjxQwaEvG3.exe
PID 4324 wrote to memory of 1180	4324	Setup (1).exe	FKQN9l3E4mxMOwo5TLPHHTxl.exe
PID 4324 wrote to memory of 1180	4324	Setup (1).exe	FKQN9l3E4mxMOwo5TLPHHTxl.exe
PID 4324 wrote to memory of 1180	4324	Setup (1).exe	FKQN9l3E4mxMOwo5TLPHHTxl.exe
PID 4324 wrote to memory of 912	4324	Setup (1).exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 4324 wrote to memory of 912	4324	Setup (1).exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 4324 wrote to memory of 912	4324	Setup (1).exe	ExfJL0iepDHErPA4LGeIYb8a.exe
PID 4324 wrote to memory of 1216	4324	Setup (1).exe	m2vmfr9COhWqMWWi3vDoqOTM.exe
PID 4324 wrote to memory of 1216	4324	Setup (1).exe	m2vmfr9COhWqMWWi3vDoqOTM.exe
PID 4324 wrote to memory of 1216	4324	Setup (1).exe	m2vmfr9COhWqMWWi3vDoqOTM.exe
PID 4324 wrote to memory of 1424	4324	Setup (1).exe	LtsPlQqIfinOfr_kXSW7IlfZ.exe
PID 4324 wrote to memory of 1424	4324	Setup (1).exe	LtsPlQqIfinOfr_kXSW7IlfZ.exe
PID 4324 wrote to memory of 1424	4324	Setup (1).exe	LtsPlQqIfinOfr_kXSW7IlfZ.exe
PID 4324 wrote to memory of 1344	4324	Setup (1).exe	1JJC9YsEjrHhAOXnk1Vw1QTX.exe
PID 4324 wrote to memory of 1344	4324	Setup (1).exe	1JJC9YsEjrHhAOXnk1Vw1QTX.exe
PID 4324 wrote to memory of 1344	4324	Setup (1).exe	1JJC9YsEjrHhAOXnk1Vw1QTX.exe
PID 4324 wrote to memory of 1464	4324	Setup (1).exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 4324 wrote to memory of 1464	4324	Setup (1).exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 4324 wrote to memory of 1464	4324	Setup (1).exe	PuDPaDWx1Obqt8PXF9O4wMHS.exe
PID 4324 wrote to memory of 1620	4324	Setup (1).exe	mbbZP9KWocu9s5ib2Rj2zb7A.exe
PID 4324 wrote to memory of 1620	4324	Setup (1).exe	mbbZP9KWocu9s5ib2Rj2zb7A.exe
PID 4324 wrote to memory of 1620	4324	Setup (1).exe	mbbZP9KWocu9s5ib2Rj2zb7A.exe
PID 4324 wrote to memory of 2240	4324	Setup (1).exe	tWHQWs7dpX5KErvsHd65jzTm.exe
PID 4324 wrote to memory of 2240	4324	Setup (1).exe	tWHQWs7dpX5KErvsHd65jzTm.exe
PID 4324 wrote to memory of 2240	4324	Setup (1).exe	tWHQWs7dpX5KErvsHd65jzTm.exe
PID 4324 wrote to memory of 2996	4324	Setup (1).exe	SRFqOBJvWdXZF5hr1EG7hjub.exe
PID 4324 wrote to memory of 2996	4324	Setup (1).exe	SRFqOBJvWdXZF5hr1EG7hjub.exe
PID 4324 wrote to memory of 2996	4324	Setup (1).exe	SRFqOBJvWdXZF5hr1EG7hjub.exe

C:\Users\Admin\AppData\Local\Temp\Setup (1).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (1).exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4324

C:\Users\Admin\Documents\3RqBW1ka8RCC720E906VxNCE.exe
"C:\Users\Admin\Documents\3RqBW1ka8RCC720E906VxNCE.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1192

C:\Users\Admin\Documents\3RqBW1ka8RCC720E906VxNCE.exe
"C:\Users\Admin\Documents\3RqBW1ka8RCC720E906VxNCE.exe"
3⤵
PID:6728

C:\Users\Admin\Documents\m0FtYtoSqXjXUtg_q4kj3hI1.exe
"C:\Users\Admin\Documents\m0FtYtoSqXjXUtg_q4kj3hI1.exe"
2⤵
- Executes dropped EXE
PID:1408

C:\Users\Admin\Documents\tF64MzVNDIE05lc6awRgEYS1.exe
"C:\Users\Admin\Documents\tF64MzVNDIE05lc6awRgEYS1.exe"
2⤵
- Executes dropped EXE
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 296
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Users\Admin\Documents\bEKUaoPXRmsP0GUxjAhtU1go.exe
"C:\Users\Admin\Documents\bEKUaoPXRmsP0GUxjAhtU1go.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Users\Admin\Documents\bEKUaoPXRmsP0GUxjAhtU1go.exe
"C:\Users\Admin\Documents\bEKUaoPXRmsP0GUxjAhtU1go.exe"
3⤵
- Executes dropped EXE
PID:5868

C:\Users\Admin\Documents\bEKUaoPXRmsP0GUxjAhtU1go.exe
"C:\Users\Admin\Documents\bEKUaoPXRmsP0GUxjAhtU1go.exe"
3⤵
- Executes dropped EXE
PID:4348

C:\Users\Admin\Documents\rDeAVHDGKY2eD1nsRAoQfdiJ.exe
"C:\Users\Admin\Documents\rDeAVHDGKY2eD1nsRAoQfdiJ.exe"
2⤵
- Executes dropped EXE
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 280
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:672

C:\Users\Admin\Documents\5TsadmFnX7OpL3zXzhKI7DFF.exe
"C:\Users\Admin\Documents\5TsadmFnX7OpL3zXzhKI7DFF.exe"
2⤵
- Executes dropped EXE
PID:4040

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCrIPt: cLOSe( CREAteobjecT ("wScRiPT.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /C tYpe ""C:\Users\Admin\Documents\5TsadmFnX7OpL3zXzhKI7DFF.exe"" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi & if """"== """" for %m in ( ""C:\Users\Admin\Documents\5TsadmFnX7OpL3zXzhKI7DFF.exe"" ) do taskkill /iM ""%~NXm"" -F" ,0 , TRUE ))
3⤵
PID:3448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C tYpe "C:\Users\Admin\Documents\5TsadmFnX7OpL3zXzhKI7DFF.exe" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi& if ""== "" for %m in ("C:\Users\Admin\Documents\5TsadmFnX7OpL3zXzhKI7DFF.exe" ) do taskkill /iM "%~NXm" -F
4⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE
IQ0v_FE_.ExE -poRsuYEMryiLi
5⤵
PID:4272

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCrIPt: cLOSe( CREAteobjecT ("wScRiPT.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /C tYpe ""C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE"" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi & if ""-poRsuYEMryiLi""== """" for %m in ( ""C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE"" ) do taskkill /iM ""%~NXm"" -F" ,0 , TRUE ))
6⤵
PID:2232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C tYpe "C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi& if "-poRsuYEMryiLi"== "" for %m in ("C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE" ) do taskkill /iM "%~NXm" -F
7⤵
PID:916

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" VHTDDahA.G,XBvVyh
6⤵
- Loads dropped DLL
PID:5608

C:\Windows\SysWOW64\taskkill.exe
taskkill /iM "5TsadmFnX7OpL3zXzhKI7DFF.exe" -F
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:416

C:\Users\Admin\Documents\mbbZP9KWocu9s5ib2Rj2zb7A.exe
"C:\Users\Admin\Documents\mbbZP9KWocu9s5ib2Rj2zb7A.exe"
2⤵
- Executes dropped EXE
PID:1620

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
"C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1464

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
- Executes dropped EXE
PID:4884

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
- Executes dropped EXE
PID:780

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
- Executes dropped EXE
PID:3388

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
- Executes dropped EXE
PID:2312

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
- Executes dropped EXE
PID:5200

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
- Executes dropped EXE
PID:5904

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
- Executes dropped EXE
PID:5720

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:5832

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:5144

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:3272

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:6668

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:6248

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:3076

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:4112

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:3076

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:2100

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:3856

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:5024

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:3140

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:5412

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:436

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:5544

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:6092

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:5464

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:496

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
- Enumerates system info in registry
PID:1104

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:6848

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:7472

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:7960

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8088

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:3168

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:4212

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:7472

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:5412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 28
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1428

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:2072

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:6788

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8172 -s 28
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:488

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:5688

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:7520

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:5412

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:5140

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:4000

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:2564

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:6324

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:6240

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:7072

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:1956

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:2924

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:6772

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:3236

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8072

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:1532

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:7636

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8364

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8632

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8936

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:9192

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8544

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8876

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7428

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:6968

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:9212

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8684

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:4496

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:4404

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:844

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:5548

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:2988

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:6172

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:3032

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:920

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:6520

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:7164

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8224

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:9616

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:10044

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:9436

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:9476

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:724

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:1776

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:10184

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:9524

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:9940

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:4036

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:5272

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:9252

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:10268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10268 -s 28
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:10552

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:10528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10528 -s 28
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:11112

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:10984

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:7668

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:10512

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:10828

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8492

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8424

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8036

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:7548

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:10960

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:10384

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8380

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:3000

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:1412

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:5380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 28
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:9912

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:1112

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8112

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:6168

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:10040

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:9360

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8532

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8548 -s 28
4⤵
- Program crash
- Checks processor information in registry
PID:8552

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:7328

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:892

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:3632

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:11084

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:9468

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:1752

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:9752

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:6020

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:6036

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8604

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 28
4⤵
- Program crash
PID:10120

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:10536

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:9448

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:11384

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:11752

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:10796

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:10180

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:11236

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:10432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10432 -s 28
4⤵
- Program crash
- Enumerates system info in registry
PID:8808

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:10024

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:11244

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:692

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8956

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8444 -s 28
4⤵
- Program crash
- Enumerates system info in registry
PID:6076

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:12184

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:676

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:10892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10892 -s 28
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5612

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:7616

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:1644

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:11016

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:1572

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:7004

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:9880

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:12732

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:12952

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:13196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 13196 -s 28
4⤵
- Program crash
PID:12812

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:12796

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:9316

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:13292

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:4500

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:9264

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:13292

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8236

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:10300

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:13456

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:13872

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:14328

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:14228

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:14272

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:14708

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:15340

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:12656

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:15260

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:14788

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:14944

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:5756

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:14488

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:14136

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:13524

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:10984

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:12540

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8760

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:14092

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:3824

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:11740

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:7792

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:6708

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:13976

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:9004

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:13388

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8076

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:12792

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:14140

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:9764

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:9268

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:5340

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:2212

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:1812

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:13960

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:13644

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:13664

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:12176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 12176 -s 28
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:13652

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:14412

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8608

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:9272

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:10004

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:13832

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:8712

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:784

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:15664

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:16136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 16136 -s 28
4⤵
- Program crash
PID:15808

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:15556

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:11956

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:12188

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:11624

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:11768

C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
3⤵
PID:16700

C:\Users\Admin\Documents\LtsPlQqIfinOfr_kXSW7IlfZ.exe
"C:\Users\Admin\Documents\LtsPlQqIfinOfr_kXSW7IlfZ.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1424

C:\Users\Admin\Documents\LtsPlQqIfinOfr_kXSW7IlfZ.exe
"C:\Users\Admin\Documents\LtsPlQqIfinOfr_kXSW7IlfZ.exe"
3⤵
PID:7096

C:\Users\Admin\Documents\1JJC9YsEjrHhAOXnk1Vw1QTX.exe
"C:\Users\Admin\Documents\1JJC9YsEjrHhAOXnk1Vw1QTX.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1344

C:\Program Files (x86)\Company\NewProduct\cutm3.exe
"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
3⤵
- Executes dropped EXE
PID:3424

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
PID:5040

C:\Program Files (x86)\Company\NewProduct\inst1.exe
"C:\Program Files (x86)\Company\NewProduct\inst1.exe"
3⤵
- Executes dropped EXE
PID:4512

C:\Users\Admin\Documents\m2vmfr9COhWqMWWi3vDoqOTM.exe
"C:\Users\Admin\Documents\m2vmfr9COhWqMWWi3vDoqOTM.exe"
2⤵
- Executes dropped EXE
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 276
3⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
"C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:912

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:4192

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
- Executes dropped EXE
PID:2316

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
- Executes dropped EXE
PID:4964

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
- Executes dropped EXE
PID:3688

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
- Executes dropped EXE
PID:3904

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
- Executes dropped EXE
PID:5932

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
PID:5596

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:1504

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:4340

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2456

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:6448

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:6188

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:7160

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:6616

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:4084

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:6348

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:6472

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:2372

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:4008

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:3828

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:5504

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:6908

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:3172

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:4556

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:5236

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:6440

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:2548

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:6380

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:7504

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:8028

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:8140

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:7480

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:7580

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:7992

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:7232

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:7556

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:1884

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:7996

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:4204

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:7872

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:1040

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:5900

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:7112

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:5308

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:6956

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:5152

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:7488

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:5452

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:6928

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:1200

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:1948

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:6104

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:7136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7136 -s 28
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:7980

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:6684

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:8412

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:8652

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:8964

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:8224

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:8564

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:4808

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:1596

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:8792

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:8220

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:5772

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:7416

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:6940

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:8792

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:6092

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:9064

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:5648

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:7036

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:7616

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:6252

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:5756

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:7864

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:9472

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:9920

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:1124

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:9152

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:8456

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:9048

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:2268

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:2712

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:9308

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:8012

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:9696

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:9716

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 28
4⤵
- Program crash
PID:10432

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:10328

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:10604

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:11076

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:9088

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:1288

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:10908

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:11104

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:10336

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:8496

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
- Enumerates system info in registry
PID:5752

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:10832

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:6904

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:8292

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 28
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6056

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:1932

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:8468

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:4356

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:8596

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:9232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9232 -s 28
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:11224

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:11124

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:8584

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:9364

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:4372

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:9308

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:10208

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:1872

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:10168

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:808

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:6812

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:5584

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:3376

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:1116

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:1564

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:10188

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:7068

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:6720

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:11324

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:11712

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:12092

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:11680

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:12060

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:11552

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
- Enumerates system info in registry
PID:9768

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:10144

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:8988

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:11036

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:8272

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:6488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 28
4⤵
- Program crash
PID:11356

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:9684

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:11328

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:6972

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:11272

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:11400

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:12248

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:11364

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:9340

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:8724

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:12804

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:13036

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:13264

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:12908

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:13084

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:12856

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:10588

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:12800

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:7704

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:12056

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:8744

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:13636

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:14008

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:13496

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:13544

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:4536

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:14844

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:14340

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:11976

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:15240

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 28
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6492

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:14484

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:15100

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:9968

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:11436

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:6440

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:14688

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:784

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6352

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:11304

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:6604

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:8372

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:14840

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:13556

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:13580

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:13060

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:13188

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:9748

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:14740

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:7692

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:10276

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:12308

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:13108

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:13160

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:5584

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:14192

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:6916

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:9860

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:11472

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5972

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:11160

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:12008

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:11376

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:7720

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:14216

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:11652

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:9480

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:7108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 28
4⤵
- Program crash
- Enumerates system info in registry
PID:12600

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:9400

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:15496

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:16004

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:15400

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:15912

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:16356

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:13308

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:11976

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:16464

C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
3⤵
PID:16932

C:\Users\Admin\Documents\FKQN9l3E4mxMOwo5TLPHHTxl.exe
"C:\Users\Admin\Documents\FKQN9l3E4mxMOwo5TLPHHTxl.exe"
2⤵
- Executes dropped EXE
PID:1180

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:732

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:2852

C:\Users\Admin\Documents\Ax2HRrsbWkooC1V4G82ZKYMW.exe
"C:\Users\Admin\Documents\Ax2HRrsbWkooC1V4G82ZKYMW.exe"
2⤵
- Executes dropped EXE
PID:72

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 72 -s 240
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1536

C:\Users\Admin\Documents\xNq5nNtnxYQvV8QjxQwaEvG3.exe
"C:\Users\Admin\Documents\xNq5nNtnxYQvV8QjxQwaEvG3.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:344

C:\Users\Admin\Documents\a7eOQ8m89hLkZ5wCj3YCri3d.exe
"C:\Users\Admin\Documents\a7eOQ8m89hLkZ5wCj3YCri3d.exe"
2⤵
- Executes dropped EXE
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 272
3⤵
- Program crash
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2656

C:\Users\Admin\Documents\A_M463DjscNmdT9jVUu2ZFu7.exe
"C:\Users\Admin\Documents\A_M463DjscNmdT9jVUu2ZFu7.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Users\Admin\Documents\AEMRncQyeA2ekoDxo_pyq3Xk.exe
"C:\Users\Admin\Documents\AEMRncQyeA2ekoDxo_pyq3Xk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:676

C:\Users\Admin\Documents\AEMRncQyeA2ekoDxo_pyq3Xk.exe
"C:\Users\Admin\Documents\AEMRncQyeA2ekoDxo_pyq3Xk.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4504

C:\Users\Admin\Documents\f3B2g28_3Stjm8TFs3o9q1ry.exe
"C:\Users\Admin\Documents\f3B2g28_3Stjm8TFs3o9q1ry.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
"C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2480

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
- Executes dropped EXE
PID:3564

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
- Executes dropped EXE
PID:2964

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
- Executes dropped EXE
PID:5008

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
- Executes dropped EXE
PID:4780

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
- Executes dropped EXE
PID:5304

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
- Executes dropped EXE
PID:6116

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
- Executes dropped EXE
PID:3444

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:2268

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:4936

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:6296

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:7028

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:6920

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:6500

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:6160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6160 -s 28
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3864

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:7160

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6892

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:4700

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:2232

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:1056

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:916

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:5300

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:5928

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:2496

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:4812

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:2120

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:3952

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:5080

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:7680

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:8184

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:7276

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:7640

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:7704

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:8076

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:7300

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:7652

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:8108

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:7224

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:1572

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:6104

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:4300

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:3428

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:5184

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:5468

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:8016

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:692

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:6824

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:2956

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:6220

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:7464

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:5132

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:5064

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:2484

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:8160

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:8500

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:8784

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:9028

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:8372

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:8604

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:9056

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:8436

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:8980

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:8056

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:8956

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:7344

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:5364

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:7456

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:572

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:6228

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:3208

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:3412

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:7624

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:1060

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:6712

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:9236

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:9672

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:10084

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:9576

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:9964

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:9540

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:9264

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:7192

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:9280

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:5628

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:9828

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:3516

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:5484

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:8292

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:10456

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:10728

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:11220

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:4820

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:9144

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:5624

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:6900

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:10488

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:10752

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:10996

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:3208

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:10468

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:9624

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:8196

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:10200

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:10192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10192 -s 28
4⤵
- Program crash
PID:5972

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:8520

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:10852

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:7332

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:2704

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:2548

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:9820

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:9584

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:11140

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:6524

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:1912

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:8408

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:8652

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:7224

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:8676

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 28
4⤵
- Program crash
- Enumerates system info in registry
PID:7184

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:10372

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:6236

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:7384

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 28
4⤵
- Program crash
- Checks processor information in registry
PID:9872

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:10420

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:11412

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:11784

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:12272

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 28
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:7500

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:12124

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:11640

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:3344

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:6488

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:10800

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:4728

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:11496

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:11584

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:12196

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:11816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 11816 -s 28
4⤵
- Program crash
PID:3164

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:11404

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:4936

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:12032

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:6712

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:10564

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:10704

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:9528

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:12760

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:13000

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:13256

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:12828

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:13024

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:13276

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:13124

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:8884

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:7876

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:10896

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:13152

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:13484

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:13792

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:13404

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:12256

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:6520

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:14612

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:15084

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:14344

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:14592

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:12928

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:7048

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:15084

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:2128

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:14808

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:11484

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:14432

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:9992

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:9188

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:12388

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:5188

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:10460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10460 -s 28
4⤵
- Program crash
- Checks processor information in registry
PID:13444

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4212

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:14496

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:9888

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:12148

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:14800

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:14604

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:11776

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:14728

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:10260

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:13552

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:3252

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:13332

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:3596

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:11880

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:11936

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:10248

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:8868

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:15276

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:13608

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:14216

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:10340

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:12148

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:13396

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:11596

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:4944

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:10344

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:10976

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:14740

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:15792

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:16268

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:15628

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:16308

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:12876

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:16144

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:15760

C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
3⤵
PID:16632

C:\Users\Admin\Documents\tWHQWs7dpX5KErvsHd65jzTm.exe
"C:\Users\Admin\Documents\tWHQWs7dpX5KErvsHd65jzTm.exe"
2⤵
- Executes dropped EXE
PID:2240

C:\Users\Admin\Documents\tWHQWs7dpX5KErvsHd65jzTm.exe
"C:\Users\Admin\Documents\tWHQWs7dpX5KErvsHd65jzTm.exe" -u
3⤵
- Executes dropped EXE
PID:4344

C:\Users\Admin\Documents\qbleFXEHQDURxBIu_BagU88B.exe
"C:\Users\Admin\Documents\qbleFXEHQDURxBIu_BagU88B.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Users\Admin\AppData\Roaming\2561948.exe
"C:\Users\Admin\AppData\Roaming\2561948.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2164 -s 2108
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6312

C:\Users\Admin\AppData\Roaming\1645906.exe
"C:\Users\Admin\AppData\Roaming\1645906.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4192

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
4⤵
- Executes dropped EXE
PID:5736

C:\Users\Admin\AppData\Roaming\4856436.exe
"C:\Users\Admin\AppData\Roaming\4856436.exe"
3⤵
- Executes dropped EXE
PID:2476

C:\Users\Admin\AppData\Roaming\8337570.exe
"C:\Users\Admin\AppData\Roaming\8337570.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1180

C:\Users\Admin\AppData\Roaming\6950613.exe
"C:\Users\Admin\AppData\Roaming\6950613.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1668
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6356

C:\Users\Admin\Documents\SRFqOBJvWdXZF5hr1EG7hjub.exe
"C:\Users\Admin\Documents\SRFqOBJvWdXZF5hr1EG7hjub.exe"
2⤵
- Executes dropped EXE
PID:2996

C:\Users\Admin\AppData\Local\Temp\is-8HGVV.tmp\SRFqOBJvWdXZF5hr1EG7hjub.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8HGVV.tmp\SRFqOBJvWdXZF5hr1EG7hjub.tmp" /SL5="$10294,138429,56832,C:\Users\Admin\Documents\SRFqOBJvWdXZF5hr1EG7hjub.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:4752

C:\Users\Admin\AppData\Local\Temp\is-GHNIK.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-GHNIK.tmp\Setup.exe" /Verysilent
4⤵
PID:2456

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:792

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
- Executes dropped EXE
PID:4968

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
- Executes dropped EXE
PID:5988

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5960

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:4156

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:4672

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6584

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6608

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:3992

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6508

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5996

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:2440

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
- Executes dropped EXE
PID:4272

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:4308

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6536

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6980

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6740

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6012

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:2408

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:4676

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 164
7⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6752

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:1048

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7200

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7756

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7240

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7296

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7736

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7836

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:3728

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6616

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7872

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7220

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7388

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:1212

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7176

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8124

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:3200

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:3136

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:2152

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6128

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 28
7⤵
- Program crash
PID:5752

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8008

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:3224

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:408

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6376

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6648

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:3844

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7584

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8264

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8524

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8844

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9116

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7604

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8740

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9068

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8516 -s 164
7⤵
- Program crash
PID:512

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:4500

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:2736

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5372

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:4004

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7368

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:3840

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:2064

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5524

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5160

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7688

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5104

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7800

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8360

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9324 -s 28
7⤵
- Program crash
- Checks processor information in registry
PID:9856

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9816

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:10192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10192 -s 164
7⤵
- Program crash
PID:9768

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9712

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:10104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10104 -s 164
7⤵
- Program crash
PID:9752

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6664

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8208

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9816

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6120

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:3304

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8488

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6180 -s 164
7⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:8484

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:10236

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:10356

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:10648

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11176

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5240

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9112

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9728

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11156

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:10416

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8628

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:1552

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9292

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8816

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9196

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11256

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:10312

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9932

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6516

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:1004

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:10760

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5104

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9492

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11132

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9984

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8160

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:10164

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9188

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9736

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7308

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7708

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6464

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5564

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5700

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8788

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6124

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:4172

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 28
7⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:11648

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11576

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11896

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:10520

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11744

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11684

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:3516

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8796

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:10120

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:4660

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5288

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 11368 -s 28
7⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:11560

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8580

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6028

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:12112

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11244

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8280

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11360

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7932

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5560

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9228

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:12644

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:12840

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:13136

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:13296

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7896

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:13212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 13212 -s 164
7⤵
- Program crash
- Checks processor information in registry
PID:4072

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:13300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 13300 -s 28
7⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:11664

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:13284

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9040

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:12920

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 11968 -s 28
7⤵
- Program crash
PID:13424

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11736

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:13672

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:14204

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:13764

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:3948

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:14580

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:15112

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8868

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:14944

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:15356

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:14784

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8196

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8548

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:13068

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:1192

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:14896

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8444

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:12512

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:10668

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:13708

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11168

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:13752

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:13424

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:940

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:3996

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:13300

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:14700

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8892

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11732

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:2140

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:13076

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9632

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:14108

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11940

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:14760

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8800

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9628

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:10108

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:11356

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9144

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:14948

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:13168

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11272

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:13360

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11968

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:14796

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:13280

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:12088

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:12168

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6900

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:15732

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:16156

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:15544

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:15968

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7224

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:16272

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:15388

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:16544

C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5168

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe"
6⤵
PID:4732

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
7⤵
- Delays execution with timeout.exe
PID:5852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/1ESxy7
5⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
PID:1796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9b02946f8,0x7ff9b0294708,0x7ff9b0294718
6⤵
PID:1068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,14392511300752365672,8443770491883329647,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
6⤵
PID:5440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,14392511300752365672,8443770491883329647,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2308 /prefetch:8
6⤵
PID:240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,14392511300752365672,8443770491883329647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
6⤵
PID:4972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,14392511300752365672,8443770491883329647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
6⤵
PID:1892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,14392511300752365672,8443770491883329647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
6⤵
PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,14392511300752365672,8443770491883329647,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
6⤵
PID:6884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,14392511300752365672,8443770491883329647,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
6⤵
PID:6972

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,14392511300752365672,8443770491883329647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
6⤵
PID:7124

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,14392511300752365672,8443770491883329647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
6⤵
PID:5924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,14392511300752365672,8443770491883329647,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5832 /prefetch:2
6⤵
PID:3516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,14392511300752365672,8443770491883329647,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
6⤵
PID:9164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,14392511300752365672,8443770491883329647,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
6⤵
PID:10888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2244,14392511300752365672,8443770491883329647,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5284 /prefetch:8
6⤵
PID:5584

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv lVygVh9CQ0KsjH2557qDSw.0.2
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 852 -ip 852
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1684 -ip 1684
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1216 -ip 1216
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4172 -ip 4172
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 72 -ip 72
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4120

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5236

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:5328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 452
3⤵
- Program crash
PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5328 -ip 5328
1⤵
PID:5596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6700

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 352 -p 2164 -ip 2164
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:6484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4400 -ip 4400
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 6160 -ip 6160
1⤵
PID:6892

C:\Users\Admin\AppData\Local\Temp\D3BC.exe
C:\Users\Admin\AppData\Local\Temp\D3BC.exe
1⤵
- Suspicious use of SetWindowsHookEx
PID:7144

C:\Users\Admin\AppData\Local\Temp\DC96.exe
C:\Users\Admin\AppData\Local\Temp\DC96.exe
1⤵
PID:6352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 236
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 6352 -ip 6352
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6720

C:\Users\Admin\AppData\Local\Temp\3E4F.exe
C:\Users\Admin\AppData\Local\Temp\3E4F.exe
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
2⤵
PID:916

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 884
2⤵
- Program crash
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3364 -ip 3364
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5648

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5292

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4336

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:6728

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2996

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5252

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3640

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6412

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 1312 -ip 1312
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5412 -ip 5412
1⤵
PID:7428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 8172 -ip 8172
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1948 -ip 1948
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 7136 -ip 7136
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 8516 -ip 8516
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 9324 -ip 9324
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:9804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 10192 -ip 10192
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 10104 -ip 10104
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:9656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 6180 -ip 6180
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4468 -ip 4468
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:10368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 10268 -ip 10268
1⤵
PID:10536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 10528 -ip 10528
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:10992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3892 -ip 3892
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:10320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5380 -ip 5380
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:10056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 10192 -ip 10192
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 9232 -ip 9232
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:11248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 8548 -ip 8548
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:10516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2460 -ip 2460
1⤵
PID:8896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1316 -ip 1316
1⤵
PID:6352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3516 -ip 3516
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:10724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 7108 -ip 7108
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:11588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3900 -ip 3900
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 10432 -ip 10432
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:11948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 8444 -ip 8444
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 11368 -ip 11368
1⤵
PID:8512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6488 -ip 6488
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 11816 -ip 11816
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:12268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 10892 -ip 10892
1⤵
PID:11364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 13196 -ip 13196
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:8724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 13212 -ip 13212
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:10376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 13300 -ip 13300
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:12684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 11968 -ip 11968
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3564 -ip 3564
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:14500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 10460 -ip 10460
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:13268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 12176 -ip 12176
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:14468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 7108 -ip 7108
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 16136 -ip 16136
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:15608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\cutm3.exe
MD5
7714deedb24c3dcfa81dc660dd383492

SHA1
56fae3ab1186009430e175c73b914c77ed714cc0

SHA256
435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c

SHA512
2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58

Download Submit
C:\Program Files (x86)\Company\NewProduct\cutm3.exe
MD5
7714deedb24c3dcfa81dc660dd383492

SHA1
56fae3ab1186009430e175c73b914c77ed714cc0

SHA256
435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c

SHA512
2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58

Download Submit
C:\Program Files (x86)\Company\NewProduct\inst1.exe
MD5
c06d807e7287add5d460530e3d87648c

SHA1
d288550f1e35ba9406886906920f1afe7c965f71

SHA256
d5855e6292d04c6ab247c1b550168cde3d4a73831ed792cf15c1d0c650137e3d

SHA512
592b4cafe1d1060f8f05f54832e9c0f4baeb29c91dc9912f2f6f63819d96b766ae888c1483c5fc6b6c14093f8fd85ff03b4b76cc2910472740339a0305a5a20b

Download Submit
C:\Program Files (x86)\Company\NewProduct\inst1.exe
MD5
c06d807e7287add5d460530e3d87648c

SHA1
d288550f1e35ba9406886906920f1afe7c965f71

SHA256
d5855e6292d04c6ab247c1b550168cde3d4a73831ed792cf15c1d0c650137e3d

SHA512
592b4cafe1d1060f8f05f54832e9c0f4baeb29c91dc9912f2f6f63819d96b766ae888c1483c5fc6b6c14093f8fd85ff03b4b76cc2910472740339a0305a5a20b

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
MD5
68737ab1a037878a37f0b3e114edaaf8

SHA1
0ba735d99c77cb69937f8fcf89c6a9e3bc495512

SHA256
7bf16a22ac10e1dc50dc302c7d1c196dff361ee5c8e830ddb0cec90b548b483a

SHA512
f30fa001c604fe4aee324fc4af5b784feae262a62983bd2364721f83ad2522b714c0286b97569b927da5741339d8a0633cbd6abcae3e45f943d5f4ae9168b271

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
MD5
68737ab1a037878a37f0b3e114edaaf8

SHA1
0ba735d99c77cb69937f8fcf89c6a9e3bc495512

SHA256
7bf16a22ac10e1dc50dc302c7d1c196dff361ee5c8e830ddb0cec90b548b483a

SHA512
f30fa001c604fe4aee324fc4af5b784feae262a62983bd2364721f83ad2522b714c0286b97569b927da5741339d8a0633cbd6abcae3e45f943d5f4ae9168b271

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
232e517db7356fc6c1b3a1e81cfb14f0

SHA1
bc96caa40bec1a95c2ccb1ce412898d26c2b6510

SHA256
ea67e14a00646a43febfe5e838dc16e5f15e2b0d04e6ebfbe2f63c367d2c431d

SHA512
37b60c3038f297d738ca5d5b0ad7728d8dc487a7e82306be479619e7979553f9b6933aaaa808f6f7e241135984a36169b770b88c5f9b48e1086ed84466f7b698

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
307da069d24d32db7429d30c62f71daa

SHA1
117270a841c79f04a38443470dc2da188a20e9ef

SHA256
0e98329ea35e546f45f3725bb22374acf5da8f2401e6dd539bf411db94ad052e

SHA512
50eee80920ae5835efd463210f86650d46a1595592e59c42a596fa846d42adf3b90240d2bd84e2505d485632f985729cd36b506da89af8bb52c5709ea1ccc87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8HGVV.tmp\SRFqOBJvWdXZF5hr1EG7hjub.tmp
MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GHNIK.tmp\itdownload.dll
MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GHNIK.tmp\itdownload.dll
MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
C:\Users\Admin\AppData\Roaming\2561948.exe
MD5
a3214c939ad2515b0cd3aad5c402ce13

SHA1
d4efa31dd92e062da68c7caa2b9824a4f20e7d14

SHA256
3e61b2ab69460d4af4c3ef0e7595fe495bdca69f977a73c6d62155ce40effeac

SHA512
2aeaab7173214335f827ff29115b2946ea73f246e9deb96122e613b64aa7ef4963ed788da41041c32595912a31904a6b9dd0902f41b83e0233217a8f4159bc9e

Download Submit
C:\Users\Admin\AppData\Roaming\2561948.exe
MD5
a3214c939ad2515b0cd3aad5c402ce13

SHA1
d4efa31dd92e062da68c7caa2b9824a4f20e7d14

SHA256
3e61b2ab69460d4af4c3ef0e7595fe495bdca69f977a73c6d62155ce40effeac

SHA512
2aeaab7173214335f827ff29115b2946ea73f246e9deb96122e613b64aa7ef4963ed788da41041c32595912a31904a6b9dd0902f41b83e0233217a8f4159bc9e

Download Submit
C:\Users\Admin\Documents\1JJC9YsEjrHhAOXnk1Vw1QTX.exe
MD5
308da60a9996a07824a1a1ce3a994d05

SHA1
24828b0bbbe4b975e2d73cfbcd6633113145b2f9

SHA256
1a1bf81f4a5d156c4c4ad16bd5f8ea3b2ea8c759b3e1fcbb47945f5c9039ff94

SHA512
84a3da30d8ae3891e1b9f0c24de612922512f39c94a743fea2a287a2299df6ceaaedb42b70ec18b1481e2b3c97a9021c83c7722d2521b47c19005ce4523b3afe

Download Submit
C:\Users\Admin\Documents\1JJC9YsEjrHhAOXnk1Vw1QTX.exe
MD5
308da60a9996a07824a1a1ce3a994d05

SHA1
24828b0bbbe4b975e2d73cfbcd6633113145b2f9

SHA256
1a1bf81f4a5d156c4c4ad16bd5f8ea3b2ea8c759b3e1fcbb47945f5c9039ff94

SHA512
84a3da30d8ae3891e1b9f0c24de612922512f39c94a743fea2a287a2299df6ceaaedb42b70ec18b1481e2b3c97a9021c83c7722d2521b47c19005ce4523b3afe

Download Submit
C:\Users\Admin\Documents\3RqBW1ka8RCC720E906VxNCE.exe
MD5
d150c070e3e6d3b966fcbaaa912dcd1b

SHA1
d642453ea9e6c59fbc53f874a36ff508238bbc7f

SHA256
3ca3ef048fd26e03a002f3fc9d80ecf27621dd27643857cfdac7c60c26d36a27

SHA512
67160efe9a0d79ac09dc7e36364edbda03401b0532c6e9b0db84866c63ca8ff30ea074554c60c167effec434aeb1596aebf2ff1b90181a54820f186731a42ee0

Download Submit
C:\Users\Admin\Documents\3RqBW1ka8RCC720E906VxNCE.exe
MD5
d150c070e3e6d3b966fcbaaa912dcd1b

SHA1
d642453ea9e6c59fbc53f874a36ff508238bbc7f

SHA256
3ca3ef048fd26e03a002f3fc9d80ecf27621dd27643857cfdac7c60c26d36a27

SHA512
67160efe9a0d79ac09dc7e36364edbda03401b0532c6e9b0db84866c63ca8ff30ea074554c60c167effec434aeb1596aebf2ff1b90181a54820f186731a42ee0

Download Submit
C:\Users\Admin\Documents\5TsadmFnX7OpL3zXzhKI7DFF.exe
MD5
6c77dec5a89f8c6bd57e53cfc2a8c828

SHA1
7149f293508405d298a49e044e577126cc2e7d2e

SHA256
cad8d602e9131638c2b0b344654e3787026da745fa751f58b5e6392d18d8d06a

SHA512
722f64ff0e1162fca68d209fcb40772769a20ec570d2d9b25e2170c4947d601495636929b5fd34ec97e8ea1a551661157072e8dea9d49767bde2d2a2600225bf

Download Submit
C:\Users\Admin\Documents\5TsadmFnX7OpL3zXzhKI7DFF.exe
MD5
6c77dec5a89f8c6bd57e53cfc2a8c828

SHA1
7149f293508405d298a49e044e577126cc2e7d2e

SHA256
cad8d602e9131638c2b0b344654e3787026da745fa751f58b5e6392d18d8d06a

SHA512
722f64ff0e1162fca68d209fcb40772769a20ec570d2d9b25e2170c4947d601495636929b5fd34ec97e8ea1a551661157072e8dea9d49767bde2d2a2600225bf

Download Submit
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
MD5
fabac8484745201ea428ea1d10fe2755

SHA1
b7365fcaa7416427ce5cc69f2bde3874d88cdc92

SHA256
f97b089440dd628e37d008e3074ee71ae700970bf7b98157849117d7a7c59b5c

SHA512
059e73bb48bb1ac45285b2af7b6bb0cd0eef018eeb3ae3562a2b5021b1d1d759e36550da7eb27be482e42c623176fe0821c88dcba9dd97cd2de83af65e2ec38a

Download Submit
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
MD5
fabac8484745201ea428ea1d10fe2755

SHA1
b7365fcaa7416427ce5cc69f2bde3874d88cdc92

SHA256
f97b089440dd628e37d008e3074ee71ae700970bf7b98157849117d7a7c59b5c

SHA512
059e73bb48bb1ac45285b2af7b6bb0cd0eef018eeb3ae3562a2b5021b1d1d759e36550da7eb27be482e42c623176fe0821c88dcba9dd97cd2de83af65e2ec38a

Download Submit
C:\Users\Admin\Documents\7ihstUdeCB5f0aEH12WYsnS4.exe
MD5
fabac8484745201ea428ea1d10fe2755

SHA1
b7365fcaa7416427ce5cc69f2bde3874d88cdc92

SHA256
f97b089440dd628e37d008e3074ee71ae700970bf7b98157849117d7a7c59b5c

SHA512
059e73bb48bb1ac45285b2af7b6bb0cd0eef018eeb3ae3562a2b5021b1d1d759e36550da7eb27be482e42c623176fe0821c88dcba9dd97cd2de83af65e2ec38a

Download Submit
C:\Users\Admin\Documents\AEMRncQyeA2ekoDxo_pyq3Xk.exe
MD5
ecddf4aef24206efaa378f52af0d5e57

SHA1
f721e98cb385e33bee0f365a749b780201457b42

SHA256
0e2caeea5636af7a787fd9f0c86ddcc761844485c3aa3dcaf18c2a5941c2e1ce

SHA512
7df914e6f77b2e774bf2b1e507fbaeb507f887ca87da945355375a75455da4ba75c9719261af2da51746c94b40411eb3c0a857b2a898eeab42aebf0a40aa362c

Download Submit
C:\Users\Admin\Documents\AEMRncQyeA2ekoDxo_pyq3Xk.exe
MD5
ecddf4aef24206efaa378f52af0d5e57

SHA1
f721e98cb385e33bee0f365a749b780201457b42

SHA256
0e2caeea5636af7a787fd9f0c86ddcc761844485c3aa3dcaf18c2a5941c2e1ce

SHA512
7df914e6f77b2e774bf2b1e507fbaeb507f887ca87da945355375a75455da4ba75c9719261af2da51746c94b40411eb3c0a857b2a898eeab42aebf0a40aa362c

Download Submit
C:\Users\Admin\Documents\AEMRncQyeA2ekoDxo_pyq3Xk.exe
MD5
ecddf4aef24206efaa378f52af0d5e57

SHA1
f721e98cb385e33bee0f365a749b780201457b42

SHA256
0e2caeea5636af7a787fd9f0c86ddcc761844485c3aa3dcaf18c2a5941c2e1ce

SHA512
7df914e6f77b2e774bf2b1e507fbaeb507f887ca87da945355375a75455da4ba75c9719261af2da51746c94b40411eb3c0a857b2a898eeab42aebf0a40aa362c

Download Submit
C:\Users\Admin\Documents\A_M463DjscNmdT9jVUu2ZFu7.exe
MD5
33abc47044053a5b97f95d81712ffd57

SHA1
dcc962b16bacd4984cf0d2337d30da34d52b1f05

SHA256
6f27e9f486516c22c2f04dbbea0ac3bdb8f7f14a2cffa9dd2f3b7f92323b4339

SHA512
964e02b24218f1f72027a723f81dd93c725f650cdb7ada737ac27486a8f50e4c1e937127add2479ad6861ba4e75341b3686bfb8959d4be2bfcc28bd59f854947

Download Submit
C:\Users\Admin\Documents\A_M463DjscNmdT9jVUu2ZFu7.exe
MD5
33abc47044053a5b97f95d81712ffd57

SHA1
dcc962b16bacd4984cf0d2337d30da34d52b1f05

SHA256
6f27e9f486516c22c2f04dbbea0ac3bdb8f7f14a2cffa9dd2f3b7f92323b4339

SHA512
964e02b24218f1f72027a723f81dd93c725f650cdb7ada737ac27486a8f50e4c1e937127add2479ad6861ba4e75341b3686bfb8959d4be2bfcc28bd59f854947

Download Submit
C:\Users\Admin\Documents\Ax2HRrsbWkooC1V4G82ZKYMW.exe
MD5
056d022cbb76f3a9d285af09e79aa05a

SHA1
3e1eb865decd5603728ed3b14e42fbcf3368ea9f

SHA256
94ccec1b08e2f017207af7f617a143ff8adc1fc8cda2dfb5de78d2fc3e986ce0

SHA512
ab82e24574423d2325893521cf9372c1b6364beffd890a09d476ebb583958f709b420aa783a9da37dfd70bdeb019a0e2e9c7c37f93bf11798acc8895867c3227

Download Submit
C:\Users\Admin\Documents\Ax2HRrsbWkooC1V4G82ZKYMW.exe
MD5
056d022cbb76f3a9d285af09e79aa05a

SHA1
3e1eb865decd5603728ed3b14e42fbcf3368ea9f

SHA256
94ccec1b08e2f017207af7f617a143ff8adc1fc8cda2dfb5de78d2fc3e986ce0

SHA512
ab82e24574423d2325893521cf9372c1b6364beffd890a09d476ebb583958f709b420aa783a9da37dfd70bdeb019a0e2e9c7c37f93bf11798acc8895867c3227

Download Submit
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
MD5
ddfa7f5c4e009e6a1052568b292b7d1c

SHA1
22d85895a300a3ac777049c28c521fc38956e89a

SHA256
4d463ef06d78819067503412ef6f554eb2a5e968e332530ede9d093e5a21866b

SHA512
8dd3e113aeac58f03b4f1819dde9b7e318ba04986202387f65b8dc0c212c0207c68c0bf38adc1724618bf99a14bf43a1d26862f26416caafdfafc0128078d256

Download Submit
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
MD5
ddfa7f5c4e009e6a1052568b292b7d1c

SHA1
22d85895a300a3ac777049c28c521fc38956e89a

SHA256
4d463ef06d78819067503412ef6f554eb2a5e968e332530ede9d093e5a21866b

SHA512
8dd3e113aeac58f03b4f1819dde9b7e318ba04986202387f65b8dc0c212c0207c68c0bf38adc1724618bf99a14bf43a1d26862f26416caafdfafc0128078d256

Download Submit
C:\Users\Admin\Documents\ExfJL0iepDHErPA4LGeIYb8a.exe
MD5
ddfa7f5c4e009e6a1052568b292b7d1c

SHA1
22d85895a300a3ac777049c28c521fc38956e89a

SHA256
4d463ef06d78819067503412ef6f554eb2a5e968e332530ede9d093e5a21866b

SHA512
8dd3e113aeac58f03b4f1819dde9b7e318ba04986202387f65b8dc0c212c0207c68c0bf38adc1724618bf99a14bf43a1d26862f26416caafdfafc0128078d256

Download Submit
C:\Users\Admin\Documents\FKQN9l3E4mxMOwo5TLPHHTxl.exe
MD5
abeea23c95c98bc3cbc6d9d4508a0a2f

SHA1
b9b202c2e2da2073b4e332a7401159118581d10c

SHA256
df7734cbb1baf26783f02249ac1b725286ae3709233cb3e78955cb6873597e6d

SHA512
6fb725f1e067382a2ff6e153f9a3f02fb9d277248cf1b06c0541feef3919d8813f18f54b25899d9d7f6e0651fcfeec7d98fee9300c404c8e04c0606712261d9f

Download Submit
C:\Users\Admin\Documents\FKQN9l3E4mxMOwo5TLPHHTxl.exe
MD5
abeea23c95c98bc3cbc6d9d4508a0a2f

SHA1
b9b202c2e2da2073b4e332a7401159118581d10c

SHA256
df7734cbb1baf26783f02249ac1b725286ae3709233cb3e78955cb6873597e6d

SHA512
6fb725f1e067382a2ff6e153f9a3f02fb9d277248cf1b06c0541feef3919d8813f18f54b25899d9d7f6e0651fcfeec7d98fee9300c404c8e04c0606712261d9f

Download Submit
C:\Users\Admin\Documents\LtsPlQqIfinOfr_kXSW7IlfZ.exe
MD5
3d02508473fd13b069fce5dd54a2ff75

SHA1
a6ccb270b3356d58c6358905ab3a01dd1b9c9566

SHA256
0ea9a18d16f9be86d0f0b8b1da9250584cd4cf0aa83ba0ef57771010d3f80f27

SHA512
63f9a8ed6ba4af5e3833e3b0c9ffacbaf69ba291fd5f5df953921284e322a0a80f27cb524835fb2643d2b20b11873e540657772e696ce7b7c9d19928f8ac76bf

Download Submit
C:\Users\Admin\Documents\LtsPlQqIfinOfr_kXSW7IlfZ.exe
MD5
3d02508473fd13b069fce5dd54a2ff75

SHA1
a6ccb270b3356d58c6358905ab3a01dd1b9c9566

SHA256
0ea9a18d16f9be86d0f0b8b1da9250584cd4cf0aa83ba0ef57771010d3f80f27

SHA512
63f9a8ed6ba4af5e3833e3b0c9ffacbaf69ba291fd5f5df953921284e322a0a80f27cb524835fb2643d2b20b11873e540657772e696ce7b7c9d19928f8ac76bf

Download Submit
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
MD5
e20eadf0f3063e0a73ca8569cd7c3c1b

SHA1
995b8fecebb1ff10f9f6571c73d1ea49d5722477

SHA256
81f327dfcb337af8d576630d797059c5501a84cecb3612b69a2085cb2a74b494

SHA512
d226b5f133ecff0eb41a21c6a8feeeae5da1931f4326f5fb893f11eb3faff1fc460d188149f968fcf4437abf3b0fe8c49b01d463f8e8d0e54e9ae149027786ef

Download Submit
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
MD5
e20eadf0f3063e0a73ca8569cd7c3c1b

SHA1
995b8fecebb1ff10f9f6571c73d1ea49d5722477

SHA256
81f327dfcb337af8d576630d797059c5501a84cecb3612b69a2085cb2a74b494

SHA512
d226b5f133ecff0eb41a21c6a8feeeae5da1931f4326f5fb893f11eb3faff1fc460d188149f968fcf4437abf3b0fe8c49b01d463f8e8d0e54e9ae149027786ef

Download Submit
C:\Users\Admin\Documents\PuDPaDWx1Obqt8PXF9O4wMHS.exe
MD5
e20eadf0f3063e0a73ca8569cd7c3c1b

SHA1
995b8fecebb1ff10f9f6571c73d1ea49d5722477

SHA256
81f327dfcb337af8d576630d797059c5501a84cecb3612b69a2085cb2a74b494

SHA512
d226b5f133ecff0eb41a21c6a8feeeae5da1931f4326f5fb893f11eb3faff1fc460d188149f968fcf4437abf3b0fe8c49b01d463f8e8d0e54e9ae149027786ef

Download Submit
C:\Users\Admin\Documents\SRFqOBJvWdXZF5hr1EG7hjub.exe
MD5
4c91ebf5b18e08cf75fe9d7b567d4093

SHA1
f76f07af066f31f39e7723ee0a841a752767c23c

SHA256
26658599bfea61f5a5db01ce91144702653e9ecf92eda1f54479ce1f48876721

SHA512
cd95b1fed25558e1eaae71aeec797130a2f840403959dd2ca07378bbe3b2773a9e5c22f5be58c0959b29e8c9df9ff78e87abc587bd93d07dfb5f435217ec87f3

Download Submit
C:\Users\Admin\Documents\SRFqOBJvWdXZF5hr1EG7hjub.exe
MD5
4c91ebf5b18e08cf75fe9d7b567d4093

SHA1
f76f07af066f31f39e7723ee0a841a752767c23c

SHA256
26658599bfea61f5a5db01ce91144702653e9ecf92eda1f54479ce1f48876721

SHA512
cd95b1fed25558e1eaae71aeec797130a2f840403959dd2ca07378bbe3b2773a9e5c22f5be58c0959b29e8c9df9ff78e87abc587bd93d07dfb5f435217ec87f3

Download Submit
C:\Users\Admin\Documents\a7eOQ8m89hLkZ5wCj3YCri3d.exe
MD5
1198c7cec819a24342e0e7f3cc8451e3

SHA1
8b6f61780b083a520435f88cf59af1871180d21a

SHA256
ec0d5179e327663fe182b4df4df4a620a7d09fd5585ec8ee2ce36a8d33fc8ec3

SHA512
d27918a6c7a296e085b3a06677b30c9d7175401e7b9f7e4ec1b05c3fc34b72543e678452ca286c2a710db980020e3f7a0b8c34ea58129eb1004140c36b8cfd81

Download Submit
C:\Users\Admin\Documents\a7eOQ8m89hLkZ5wCj3YCri3d.exe
MD5
1198c7cec819a24342e0e7f3cc8451e3

SHA1
8b6f61780b083a520435f88cf59af1871180d21a

SHA256
ec0d5179e327663fe182b4df4df4a620a7d09fd5585ec8ee2ce36a8d33fc8ec3

SHA512
d27918a6c7a296e085b3a06677b30c9d7175401e7b9f7e4ec1b05c3fc34b72543e678452ca286c2a710db980020e3f7a0b8c34ea58129eb1004140c36b8cfd81

Download Submit
C:\Users\Admin\Documents\bEKUaoPXRmsP0GUxjAhtU1go.exe
MD5
af060eec817d7b05b24b5c40e0096d7f

SHA1
1dcab28b66c07eadd170f68d549899de8cbaadc7

SHA256
110db064661be0a65fadf0c1ffcfba644b218894f8df85c57e36ff65d86632f2

SHA512
76048b80c31b7e31d20eaff38717672e3d98fc1b7c98116948558c870a1198941a0dbea2c09811fa2867173a760d7a2ba36f74a6076293550cf8a3d6116e6975

Download Submit
C:\Users\Admin\Documents\bEKUaoPXRmsP0GUxjAhtU1go.exe
MD5
af060eec817d7b05b24b5c40e0096d7f

SHA1
1dcab28b66c07eadd170f68d549899de8cbaadc7

SHA256
110db064661be0a65fadf0c1ffcfba644b218894f8df85c57e36ff65d86632f2

SHA512
76048b80c31b7e31d20eaff38717672e3d98fc1b7c98116948558c870a1198941a0dbea2c09811fa2867173a760d7a2ba36f74a6076293550cf8a3d6116e6975

Download Submit
C:\Users\Admin\Documents\f3B2g28_3Stjm8TFs3o9q1ry.exe
MD5
ace480a7645ee4f05d2408a4680e8322

SHA1
4f08d5900e5ed0684cefa323ed2db7a64991122e

SHA256
ebd58b53668c25b60e1c450efdd6f636aa2076aff33bd409fca80fd9daea6233

SHA512
ca53e6c0b94f468aa7cfcf75b687564660c1a407aa6a5156d7fe8768a643a65faab5588266b52b300d930ecea4a8cb4a940a1b3f5a320ba9e6b203c9a2a3690a

Download Submit
C:\Users\Admin\Documents\f3B2g28_3Stjm8TFs3o9q1ry.exe
MD5
ace480a7645ee4f05d2408a4680e8322

SHA1
4f08d5900e5ed0684cefa323ed2db7a64991122e

SHA256
ebd58b53668c25b60e1c450efdd6f636aa2076aff33bd409fca80fd9daea6233

SHA512
ca53e6c0b94f468aa7cfcf75b687564660c1a407aa6a5156d7fe8768a643a65faab5588266b52b300d930ecea4a8cb4a940a1b3f5a320ba9e6b203c9a2a3690a

Download Submit
C:\Users\Admin\Documents\m0FtYtoSqXjXUtg_q4kj3hI1.exe
MD5
07e143efd03815a3b8c8b90e7e5776f0

SHA1
077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

SHA256
32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

SHA512
79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

Download Submit
C:\Users\Admin\Documents\m0FtYtoSqXjXUtg_q4kj3hI1.exe
MD5
07e143efd03815a3b8c8b90e7e5776f0

SHA1
077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

SHA256
32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

SHA512
79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

Download Submit
C:\Users\Admin\Documents\m2vmfr9COhWqMWWi3vDoqOTM.exe
MD5
8ba1af598fde5a9bcbddf4b1f74aa12e

SHA1
6d35b46fe3be66ced67a1d4f11669d539b66c960

SHA256
a2644e711f5724d4f088b6b62d257c3ebaee9ab44c3d66088edcf3441f1eed8c

SHA512
457a28e5b9e1b67cadb5df6e8d57abaa9460dca025dbfffbc6e9176c6d8ffb9d00f9bc0f2bb5557dc4bcd5c7b7d18449d0d8463434422b13276dbbd69d824513

Download Submit
C:\Users\Admin\Documents\m2vmfr9COhWqMWWi3vDoqOTM.exe
MD5
8ba1af598fde5a9bcbddf4b1f74aa12e

SHA1
6d35b46fe3be66ced67a1d4f11669d539b66c960

SHA256
a2644e711f5724d4f088b6b62d257c3ebaee9ab44c3d66088edcf3441f1eed8c

SHA512
457a28e5b9e1b67cadb5df6e8d57abaa9460dca025dbfffbc6e9176c6d8ffb9d00f9bc0f2bb5557dc4bcd5c7b7d18449d0d8463434422b13276dbbd69d824513

Download Submit
C:\Users\Admin\Documents\mbbZP9KWocu9s5ib2Rj2zb7A.exe
MD5
b5ea06201dbc55b34d086ebbec5043ae

SHA1
34009829c57800e2b11d3170830c86ad669b48dd

SHA256
c885c5405043ca5b807ab417680513333b5e5dedc9d59b70b19f6b6c60eef2dd

SHA512
200024c1e81b58cb3a03a87f4a61476346f054ad55be24bed8970a7c3d213372c7e74cf7d08030afb763d493d5d478f5550e0c9f5eb498223f00217aa1109367

Download Submit
C:\Users\Admin\Documents\mbbZP9KWocu9s5ib2Rj2zb7A.exe
MD5
b5ea06201dbc55b34d086ebbec5043ae

SHA1
34009829c57800e2b11d3170830c86ad669b48dd

SHA256
c885c5405043ca5b807ab417680513333b5e5dedc9d59b70b19f6b6c60eef2dd

SHA512
200024c1e81b58cb3a03a87f4a61476346f054ad55be24bed8970a7c3d213372c7e74cf7d08030afb763d493d5d478f5550e0c9f5eb498223f00217aa1109367

Download Submit
C:\Users\Admin\Documents\qbleFXEHQDURxBIu_BagU88B.exe
MD5
8e2c6bd0f789c514be09799fa453f9bb

SHA1
5a20567e554a56bcc1c8820502764a7a97daaf28

SHA256
67459286369a30ff17fb2df1f92a552979dc8ca3b8720e6c15c380a0d004dbbc

SHA512
aac8b38a3a4e8eb478c7af1bd2ac4eb9865443399bd9a4260ef9a85602a5d1ef5d40d0c18118ca45a47302185fa226435db2721acfe4bc0de773e9dd550dc1d0

Download Submit
C:\Users\Admin\Documents\qbleFXEHQDURxBIu_BagU88B.exe
MD5
8e2c6bd0f789c514be09799fa453f9bb

SHA1
5a20567e554a56bcc1c8820502764a7a97daaf28

SHA256
67459286369a30ff17fb2df1f92a552979dc8ca3b8720e6c15c380a0d004dbbc

SHA512
aac8b38a3a4e8eb478c7af1bd2ac4eb9865443399bd9a4260ef9a85602a5d1ef5d40d0c18118ca45a47302185fa226435db2721acfe4bc0de773e9dd550dc1d0

Download Submit
C:\Users\Admin\Documents\rDeAVHDGKY2eD1nsRAoQfdiJ.exe
MD5
5a4c34199b7d24536a4c6f50750ba670

SHA1
d59cf458dae076d651af23d722266124ea8e87fb

SHA256
7c9ba201865da7d4fd662f471422f1ce7d86c91805b882c395e77100d9c4bc8e

SHA512
0a1e424436849b84b6f3c22c3c16e95c81049eb5381814f28cf3e4c9cbf4fd414a1b5962b1106888686ba2b19b88ddf589ee3bd69bc15f10250f3b54bb209b1c

Download Submit
C:\Users\Admin\Documents\rDeAVHDGKY2eD1nsRAoQfdiJ.exe
MD5
5a4c34199b7d24536a4c6f50750ba670

SHA1
d59cf458dae076d651af23d722266124ea8e87fb

SHA256
7c9ba201865da7d4fd662f471422f1ce7d86c91805b882c395e77100d9c4bc8e

SHA512
0a1e424436849b84b6f3c22c3c16e95c81049eb5381814f28cf3e4c9cbf4fd414a1b5962b1106888686ba2b19b88ddf589ee3bd69bc15f10250f3b54bb209b1c

Download Submit
C:\Users\Admin\Documents\tF64MzVNDIE05lc6awRgEYS1.exe
MD5
669eb75220e71145a3260044f3075301

SHA1
82560cc408ab27c324216b092f19c134470aae98

SHA256
ab5d4827ce3c3cb1da79670b8bbd6afc9896dd77d9c933cefcb885079359bebb

SHA512
46164e8d9479e76b0773e158b918e0e5556ea992b2baf55137da73d1f272553aef0afd02bfb8c604469244c02416a62911d645480f211a324d1ab73748492c1e

Download Submit
C:\Users\Admin\Documents\tF64MzVNDIE05lc6awRgEYS1.exe
MD5
669eb75220e71145a3260044f3075301

SHA1
82560cc408ab27c324216b092f19c134470aae98

SHA256
ab5d4827ce3c3cb1da79670b8bbd6afc9896dd77d9c933cefcb885079359bebb

SHA512
46164e8d9479e76b0773e158b918e0e5556ea992b2baf55137da73d1f272553aef0afd02bfb8c604469244c02416a62911d645480f211a324d1ab73748492c1e

Download Submit
C:\Users\Admin\Documents\tWHQWs7dpX5KErvsHd65jzTm.exe
MD5
7411bd9a32735dfdeee38ee1f6629a7f

SHA1
5ebcd716a0a2c34bb57f3323fcc8ff081a9a78d0

SHA256
18af72f75d6dbdffa8f8319d5d76f9b1a8cb51e99e1b937948bdcc7af6665511

SHA512
806a75265ffb302311eab389ea563382f51ef525b8095a9fd10fdfb2da4f295f414b59e2bb14c25130bead481364f75fe966f38bc4f05818a9c82806725749eb

Download Submit
C:\Users\Admin\Documents\tWHQWs7dpX5KErvsHd65jzTm.exe
MD5
7411bd9a32735dfdeee38ee1f6629a7f

SHA1
5ebcd716a0a2c34bb57f3323fcc8ff081a9a78d0

SHA256
18af72f75d6dbdffa8f8319d5d76f9b1a8cb51e99e1b937948bdcc7af6665511

SHA512
806a75265ffb302311eab389ea563382f51ef525b8095a9fd10fdfb2da4f295f414b59e2bb14c25130bead481364f75fe966f38bc4f05818a9c82806725749eb

Download Submit
C:\Users\Admin\Documents\tWHQWs7dpX5KErvsHd65jzTm.exe
MD5
7411bd9a32735dfdeee38ee1f6629a7f

SHA1
5ebcd716a0a2c34bb57f3323fcc8ff081a9a78d0

SHA256
18af72f75d6dbdffa8f8319d5d76f9b1a8cb51e99e1b937948bdcc7af6665511

SHA512
806a75265ffb302311eab389ea563382f51ef525b8095a9fd10fdfb2da4f295f414b59e2bb14c25130bead481364f75fe966f38bc4f05818a9c82806725749eb

Download Submit
C:\Users\Admin\Documents\xNq5nNtnxYQvV8QjxQwaEvG3.exe
MD5
067a8002b76c49e820a9421fa3029c86

SHA1
fbf589bf5e44768d9ed07f6b361472e3b54bcb58

SHA256
9fdf1b38392cacb2490a8093fc910e2af3817e92ab459304d721919a63cbfe64

SHA512
4986054c30b069cc145dde03244589eb06513211723ca11cd97204c748b43c07b6f16bab7b9203c3d53a20176879eb467debf90bde43a5a66d23587243fed03a

Download Submit
C:\Users\Admin\Documents\xNq5nNtnxYQvV8QjxQwaEvG3.exe
MD5
067a8002b76c49e820a9421fa3029c86

SHA1
fbf589bf5e44768d9ed07f6b361472e3b54bcb58

SHA256
9fdf1b38392cacb2490a8093fc910e2af3817e92ab459304d721919a63cbfe64

SHA512
4986054c30b069cc145dde03244589eb06513211723ca11cd97204c748b43c07b6f16bab7b9203c3d53a20176879eb467debf90bde43a5a66d23587243fed03a

Download Submit
memory/72-353-0x00000000007D0000-0x00000000007FF000-memory.dmp

Filesize
188KB

Download
memory/72-163-0x0000000000000000-mapping.dmp

Download
memory/344-348-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/344-164-0x0000000000000000-mapping.dmp

Download
memory/344-314-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/416-384-0x0000000000000000-mapping.dmp

Download
memory/588-304-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download
memory/588-159-0x0000000000000000-mapping.dmp

Download
memory/588-281-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/588-285-0x00000000056A0000-0x0000000005CB8000-memory.dmp

Filesize
6.1MB

Download
memory/588-288-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/588-220-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/588-266-0x0000000005CC0000-0x0000000005CC1000-memory.dmp

Filesize
4KB

Download
memory/588-278-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/588-273-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/676-160-0x0000000000000000-mapping.dmp

Download
memory/676-335-0x00000000006C0000-0x00000000006CA000-memory.dmp

Filesize
40KB

Download
memory/732-317-0x0000000000000000-mapping.dmp

Download
memory/792-469-0x0000000000000000-mapping.dmp

Download
memory/792-519-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/852-238-0x0000000003AF0000-0x0000000003BC3000-memory.dmp

Filesize
844KB

Download
memory/852-162-0x0000000000000000-mapping.dmp

Download
memory/912-166-0x0000000000000000-mapping.dmp

Download
memory/912-253-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/912-223-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/912-300-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/916-420-0x0000000000000000-mapping.dmp

Download
memory/1068-557-0x0000000000000000-mapping.dmp

Download
memory/1180-480-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/1180-388-0x0000000000000000-mapping.dmp

Download
memory/1180-165-0x0000000000000000-mapping.dmp

Download
memory/1192-293-0x00000000059D0000-0x0000000005F76000-memory.dmp

Filesize
5.6MB

Download
memory/1192-237-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/1192-147-0x0000000000000000-mapping.dmp

Download
memory/1192-228-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/1192-212-0x0000000005F80000-0x0000000005F81000-memory.dmp

Filesize
4KB

Download
memory/1192-203-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/1208-286-0x0000000000000000-mapping.dmp

Download
memory/1216-167-0x0000000000000000-mapping.dmp

Download
memory/1216-251-0x0000000003A60000-0x0000000003A8F000-memory.dmp

Filesize
188KB

Download
memory/1344-169-0x0000000000000000-mapping.dmp

Download
memory/1408-149-0x0000000000000000-mapping.dmp

Download
memory/1424-291-0x0000000005300000-0x00000000058A6000-memory.dmp

Filesize
5.6MB

Download
memory/1424-311-0x0000000008F80000-0x0000000008F81000-memory.dmp

Filesize
4KB

Download
memory/1424-307-0x0000000006280000-0x0000000006296000-memory.dmp

Filesize
88KB

Download
memory/1424-168-0x0000000000000000-mapping.dmp

Download
memory/1424-248-0x0000000005E60000-0x0000000005E61000-memory.dmp

Filesize
4KB

Download
memory/1424-200-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/1464-170-0x0000000000000000-mapping.dmp

Download
memory/1464-279-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/1464-225-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/1620-372-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/1620-171-0x0000000000000000-mapping.dmp

Download
memory/1684-148-0x0000000000000000-mapping.dmp

Download
memory/1684-244-0x0000000003A90000-0x0000000003AE5000-memory.dmp

Filesize
340KB

Download
memory/1796-536-0x0000000000000000-mapping.dmp

Download
memory/2036-275-0x0000000002D00000-0x0000000002D16000-memory.dmp

Filesize
88KB

Download
memory/2036-249-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/2036-213-0x0000000000000000-mapping.dmp

Download
memory/2036-282-0x0000000002D70000-0x0000000002D72000-memory.dmp

Filesize
8KB

Download
memory/2164-359-0x0000000000000000-mapping.dmp

Download
memory/2164-406-0x000000001B8B0000-0x000000001B8B2000-memory.dmp

Filesize
8KB

Download
memory/2232-402-0x0000000000000000-mapping.dmp

Download
memory/2240-199-0x0000000000000000-mapping.dmp

Download
memory/2316-374-0x0000000000000000-mapping.dmp

Download
memory/2316-409-0x0000000004F70000-0x0000000005588000-memory.dmp

Filesize
6.1MB

Download
memory/2456-449-0x0000000000000000-mapping.dmp

Download
memory/2476-515-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/2476-412-0x0000000000000000-mapping.dmp

Download
memory/2480-276-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/2480-218-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/2480-158-0x0000000000000000-mapping.dmp

Download
memory/2480-299-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/2852-342-0x0000000000000000-mapping.dmp

Download
memory/2964-413-0x00000000052D0000-0x00000000058E8000-memory.dmp

Filesize
6.1MB

Download
memory/2964-386-0x0000000000000000-mapping.dmp

Download
memory/2996-211-0x0000000000000000-mapping.dmp

Download
memory/2996-216-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3256-425-0x0000000005070000-0x0000000005086000-memory.dmp

Filesize
88KB

Download
memory/3388-463-0x00000000054D0000-0x0000000005AE8000-memory.dmp

Filesize
6.1MB

Download
memory/3388-421-0x0000000000000000-mapping.dmp

Download
memory/3424-320-0x000002D5493C0000-0x000002D549521000-memory.dmp

Filesize
1.4MB

Download
memory/3424-245-0x0000000000000000-mapping.dmp

Download
memory/3424-319-0x000002D549170000-0x000002D549254000-memory.dmp

Filesize
912KB

Download
memory/3448-243-0x0000000000000000-mapping.dmp

Download
memory/3564-321-0x0000000000000000-mapping.dmp

Download
memory/3564-324-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3564-356-0x0000000004D80000-0x0000000005398000-memory.dmp

Filesize
6.1MB

Download
memory/3688-498-0x0000000005260000-0x0000000005878000-memory.dmp

Filesize
6.1MB

Download
memory/3688-464-0x0000000000000000-mapping.dmp

Download
memory/3904-514-0x0000000000000000-mapping.dmp

Download
memory/3904-556-0x0000000005600000-0x0000000005C18000-memory.dmp

Filesize
6.1MB

Download
memory/4040-155-0x0000000000000000-mapping.dmp

Download
memory/4172-290-0x0000000004320000-0x0000000004C46000-memory.dmp

Filesize
9.1MB

Download
memory/4172-154-0x0000000000000000-mapping.dmp

Download
memory/4192-375-0x0000000000000000-mapping.dmp

Download
memory/4272-376-0x0000000000000000-mapping.dmp

Download
memory/4324-146-0x00000000044B0000-0x00000000045EF000-memory.dmp

Filesize
1.2MB

Download
memory/4344-308-0x0000000000000000-mapping.dmp

Download
memory/4400-422-0x0000000000000000-mapping.dmp

Download
memory/4400-461-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/4504-341-0x0000000000000000-mapping.dmp

Download
memory/4504-351-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4512-274-0x0000000001290000-0x00000000012A0000-memory.dmp

Filesize
64KB

Download
memory/4512-263-0x0000000000000000-mapping.dmp

Download
memory/4512-296-0x00000000028D0000-0x00000000028E2000-memory.dmp

Filesize
72KB

Download
memory/4752-366-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/4752-322-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download
memory/4752-381-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/4752-294-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/4752-364-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/4752-361-0x0000000005B20000-0x0000000005B21000-memory.dmp

Filesize
4KB

Download
memory/4752-326-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/4752-301-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/4752-357-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/4752-303-0x0000000005A70000-0x0000000005A71000-memory.dmp

Filesize
4KB

Download
memory/4752-252-0x0000000000000000-mapping.dmp

Download
memory/4752-343-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/4752-338-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/4752-331-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/4752-302-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/4752-312-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

Filesize
4KB

Download
memory/4752-370-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/4752-316-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/4752-309-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/4752-269-0x00000000031C0000-0x00000000031FC000-memory.dmp

Filesize
240KB

Download
memory/4752-306-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/4780-470-0x0000000000000000-mapping.dmp

Download
memory/4780-521-0x0000000005900000-0x0000000005F18000-memory.dmp

Filesize
6.1MB

Download
memory/4904-284-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/4904-283-0x0000000005380000-0x0000000005926000-memory.dmp

Filesize
5.6MB

Download
memory/4904-202-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/4904-153-0x0000000000000000-mapping.dmp

Download
memory/4936-246-0x0000000001730000-0x0000000001749000-memory.dmp

Filesize
100KB

Download
memory/4936-205-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/4936-161-0x0000000000000000-mapping.dmp

Download
memory/4936-232-0x0000000002FA0000-0x0000000002FA2000-memory.dmp

Filesize
8KB

Download
memory/4968-589-0x0000000000000000-mapping.dmp

Download
memory/5008-458-0x00000000053F0000-0x0000000005A08000-memory.dmp

Filesize
6.1MB

Download
memory/5008-423-0x0000000000000000-mapping.dmp

Download
memory/5040-270-0x00000000008C0000-0x00000000008C3000-memory.dmp

Filesize
12KB

Download
memory/5040-254-0x0000000000000000-mapping.dmp

Download
memory/5168-474-0x0000000000000000-mapping.dmp

Download
memory/5304-586-0x0000000005510000-0x0000000005B28000-memory.dmp

Filesize
6.1MB

Download
memory/5304-525-0x0000000000000000-mapping.dmp

Download
memory/5328-487-0x0000000000000000-mapping.dmp

Download
memory/5596-627-0x0000000000000000-mapping.dmp

Download
memory/5608-574-0x0000000000000000-mapping.dmp

Download
memory/5608-591-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/5608-625-0x0000000004F80000-0x0000000005170000-memory.dmp

Filesize
1.9MB

Download
memory/5736-561-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/5736-508-0x0000000000000000-mapping.dmp

Download
memory/5904-562-0x0000000000000000-mapping.dmp

Download
memory/5904-617-0x0000000004EB0000-0x00000000054C8000-memory.dmp

Filesize
6.1MB

Download
memory/5932-565-0x0000000000000000-mapping.dmp

Download
memory/5932-633-0x0000000005610000-0x0000000005C28000-memory.dmp

Filesize
6.1MB

Download
memory/6116-603-0x0000000000000000-mapping.dmp

Download