glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

Target

Setup (15).exe
Size

631KB
MD5

cb927513ff8ebff4dd52a47f7e42f934
SHA1

0de47c02a8adc4940a6c18621b4e4a619641d029
SHA256

fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
SHA512

988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c

Score

10^/10

glupteba metasploit redline smokeloader vidar mybirja spspectr backdoor discovery dropper evasion infostealer loader persistence spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

mybirja

45.14.49.232:63850

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

spspectr

135.148.139.222:1494

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 1 IoCs

Processes:

resource	yara_rule
behavioral7/memory/5108-292-0x0000000004360000-0x0000000004C86000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5824 4972 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5824	4972	rundll32.exe

RedLine Payload 18 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Documents\VxcrRjNIAk97NI6_Vck1Prp5.exe	family_redline
C:\Users\Admin\Documents\VxcrRjNIAk97NI6_Vck1Prp5.exe	family_redline
behavioral7/memory/1588-324-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral7/memory/1588-321-0x0000000000000000-mapping.dmp	family_redline
behavioral7/memory/2176-334-0x0000000000000000-mapping.dmp	family_redline
behavioral7/memory/4108-362-0x0000000000000000-mapping.dmp	family_redline
behavioral7/memory/2988-397-0x0000000000000000-mapping.dmp	family_redline
behavioral7/memory/4536-416-0x0000000000000000-mapping.dmp	family_redline
behavioral7/memory/1980-430-0x0000000000000000-mapping.dmp	family_redline
behavioral7/memory/4108-421-0x00000000054D0000-0x0000000005AE8000-memory.dmp	family_redline
behavioral7/memory/2464-459-0x0000000000000000-mapping.dmp	family_redline
behavioral7/memory/1896-450-0x0000000000000000-mapping.dmp	family_redline
behavioral7/memory/4256-487-0x0000000000000000-mapping.dmp	family_redline
behavioral7/memory/5252-533-0x0000000000000000-mapping.dmp	family_redline
behavioral7/memory/5492-552-0x0000000000000000-mapping.dmp	family_redline
behavioral7/memory/2072-510-0x0000000000000000-mapping.dmp	family_redline
behavioral7/memory/6092-611-0x0000000000000000-mapping.dmp	family_redline
behavioral7/memory/5196-616-0x0000000000000000-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 18 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exetunJqr2kv3i7JYxkXqi1mgOP.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exetunJqr2kv3i7JYxkXqi1mgOP.exe

description	pid	process	target process
PID 4680 created 4004	4680	WerFault.exe	afTmfJHHm1an_D7frDg_SHE5.exe
PID 3292 created 2344	3292	WerFault.exe	yEJwoui80rttZBX7MS_TSSij.exe
PID 3268 created 4844	3268		qnRYwqmXI74VT8xw9sDQzviT.exe
PID 1524 created 5108	1524	WerFault.exe	gzmoY803sa6AbaNcFGlQwfPi.exe
PID 1480 created 4840	1480	WerFault.exe	7NxLi8tgEzKv0b84vQsXm7H3.exe
PID 3376 created 5876	3376	WerFault.exe	rundll32.exe
PID 5960 created 1208	5960	WerFault.exe	Spadille.exe
PID 4896 created 1444	4896	WerFault.exe	Spadille.exe
PID 6720 created 2276	6720	WerFault.exe	B008.exe
PID 2364 created 2880	2364	WerFault.exe	Spadille.exe
PID 6620 created 5264	6620	tunJqr2kv3i7JYxkXqi1mgOP.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
PID 6804 created 2880	6804	WerFault.exe	Spadille.exe
PID 4620 created 2948	4620	WerFault.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
PID 5372 created 6304	5372	WerFault.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
PID 4904 created 7744	4904	WerFault.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
PID 6812 created 6384	6812	WerFault.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
PID 10016 created 9636	10016	WerFault.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
PID 10112 created 7804	10112	tunJqr2kv3i7JYxkXqi1mgOP.exe	Spadille.exe

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral7/memory/4844-247-0x0000000003BD0000-0x0000000003CA3000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 64 IoCs

Processes:

gzmoY803sa6AbaNcFGlQwfPi.exeyEJwoui80rttZBX7MS_TSSij.execqdK9mPCWVHPtjoHS91deMYV.exeWGfzVN85f0IsKR_XWeRTWh1n.exeGky928l7EtoX3oEqejBa7mxO.exek3H1zcypdzdTk2_HIheW4Z_6.exe7NxLi8tgEzKv0b84vQsXm7H3.exeqnRYwqmXI74VT8xw9sDQzviT.exeVxcrRjNIAk97NI6_Vck1Prp5.exetunJqr2kv3i7JYxkXqi1mgOP.exedkHdEuySOe03h7AqjzaT0Vy9.exeafTmfJHHm1an_D7frDg_SHE5.exeWtfVs8FzWdTpKzexQbdzL4Pr.exeMU9BB84AEpJadrg6XVwAfGSD.exeFQ_l6Tp2UYASTgLE2eX2iH7S.exeUT1N41DU5oKDEHbmOiU_xsB0.exeBayqOTB6ywe6b73BM4RPBL5Y.exelOtBRW8MYEPvU0x8FwVebuUJ.exeluaS8H_XAvsVqPzQJEMuKMqZ.exe6QRqKELhpPYzrDZ846GoNiKK.exen3izj8NedK8WGX_Eah9ESj3X.exeJilih0KhxJuA19M9pWYJCMYV.executm3.exewAxV2xGR2jmHwwcdHzSTc4s0.exemd8_8eus.exeinst1.exewAxV2xGR2jmHwwcdHzSTc4s0.tmpluaS8H_XAvsVqPzQJEMuKMqZ.exeWGfzVN85f0IsKR_XWeRTWh1n.exetunJqr2kv3i7JYxkXqi1mgOP.exe6QRqKELhpPYzrDZ846GoNiKK.execqdK9mPCWVHPtjoHS91deMYV.exeWGfzVN85f0IsKR_XWeRTWh1n.exeSpadille.exe4420888.exetunJqr2kv3i7JYxkXqi1mgOP.exe2554063.exe1551075.exe6QRqKELhpPYzrDZ846GoNiKK.exeIQ0V_Fe_.eXESpadille.exeWGfzVN85f0IsKR_XWeRTWh1n.exetunJqr2kv3i7JYxkXqi1mgOP.exeMU9BB84AEpJadrg6XVwAfGSD.exe6QRqKELhpPYzrDZ846GoNiKK.exeWGfzVN85f0IsKR_XWeRTWh1n.exeSpadille.exetunJqr2kv3i7JYxkXqi1mgOP.exe9840432e051a6fa1192594db02b80a4c1fd73456.exe6QRqKELhpPYzrDZ846GoNiKK.exeSpadille.exeWGfzVN85f0IsKR_XWeRTWh1n.exeSpadille.exetunJqr2kv3i7JYxkXqi1mgOP.exe6QRqKELhpPYzrDZ846GoNiKK.exeWinHoster.exeWGfzVN85f0IsKR_XWeRTWh1n.exeWGfzVN85f0IsKR_XWeRTWh1n.exetunJqr2kv3i7JYxkXqi1mgOP.exe6QRqKELhpPYzrDZ846GoNiKK.exeWGfzVN85f0IsKR_XWeRTWh1n.exetunJqr2kv3i7JYxkXqi1mgOP.exeSpadille.exe

pid	process
5108	gzmoY803sa6AbaNcFGlQwfPi.exe
2344	yEJwoui80rttZBX7MS_TSSij.exe
4580	cqdK9mPCWVHPtjoHS91deMYV.exe
3340	WGfzVN85f0IsKR_XWeRTWh1n.exe
3188	Gky928l7EtoX3oEqejBa7mxO.exe
3092	k3H1zcypdzdTk2_HIheW4Z_6.exe
4840	7NxLi8tgEzKv0b84vQsXm7H3.exe
4844	qnRYwqmXI74VT8xw9sDQzviT.exe
4188	VxcrRjNIAk97NI6_Vck1Prp5.exe
3656	tunJqr2kv3i7JYxkXqi1mgOP.exe
4036	dkHdEuySOe03h7AqjzaT0Vy9.exe
4004	afTmfJHHm1an_D7frDg_SHE5.exe
4224	WtfVs8FzWdTpKzexQbdzL4Pr.exe
4012	MU9BB84AEpJadrg6XVwAfGSD.exe
3148	FQ_l6Tp2UYASTgLE2eX2iH7S.exe
592	UT1N41DU5oKDEHbmOiU_xsB0.exe
3272	BayqOTB6ywe6b73BM4RPBL5Y.exe
1640	lOtBRW8MYEPvU0x8FwVebuUJ.exe
1748	luaS8H_XAvsVqPzQJEMuKMqZ.exe
1556	6QRqKELhpPYzrDZ846GoNiKK.exe
1676	n3izj8NedK8WGX_Eah9ESj3X.exe
2004	Jilih0KhxJuA19M9pWYJCMYV.exe
2896	cutm3.exe
3132	wAxV2xGR2jmHwwcdHzSTc4s0.exe
2244	md8_8eus.exe
4684	inst1.exe
3856	wAxV2xGR2jmHwwcdHzSTc4s0.tmp
2116	luaS8H_XAvsVqPzQJEMuKMqZ.exe
2488	WGfzVN85f0IsKR_XWeRTWh1n.exe
1588	tunJqr2kv3i7JYxkXqi1mgOP.exe
2176	6QRqKELhpPYzrDZ846GoNiKK.exe
3232	cqdK9mPCWVHPtjoHS91deMYV.exe
4108	WGfzVN85f0IsKR_XWeRTWh1n.exe
1208	Spadille.exe
1232	4420888.exe
2988	tunJqr2kv3i7JYxkXqi1mgOP.exe
3092	2554063.exe
3616	1551075.exe
4536	6QRqKELhpPYzrDZ846GoNiKK.exe
1560	IQ0V_Fe_.eXE
1444	Spadille.exe
1980	WGfzVN85f0IsKR_XWeRTWh1n.exe
1896	tunJqr2kv3i7JYxkXqi1mgOP.exe
3216	MU9BB84AEpJadrg6XVwAfGSD.exe
2464	6QRqKELhpPYzrDZ846GoNiKK.exe
4256	WGfzVN85f0IsKR_XWeRTWh1n.exe
5340	Spadille.exe
1684	tunJqr2kv3i7JYxkXqi1mgOP.exe
5424	9840432e051a6fa1192594db02b80a4c1fd73456.exe
2072	6QRqKELhpPYzrDZ846GoNiKK.exe
5584	Spadille.exe
5252	WGfzVN85f0IsKR_XWeRTWh1n.exe
5956	Spadille.exe
5492	tunJqr2kv3i7JYxkXqi1mgOP.exe
5684	6QRqKELhpPYzrDZ846GoNiKK.exe
5696	WinHoster.exe
812	WGfzVN85f0IsKR_XWeRTWh1n.exe
6092	WGfzVN85f0IsKR_XWeRTWh1n.exe
5196	tunJqr2kv3i7JYxkXqi1mgOP.exe
5912	6QRqKELhpPYzrDZ846GoNiKK.exe
3216	MU9BB84AEpJadrg6XVwAfGSD.exe
6116	WGfzVN85f0IsKR_XWeRTWh1n.exe
3128	tunJqr2kv3i7JYxkXqi1mgOP.exe
5348	Spadille.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWtfVs8FzWdTpKzexQbdzL4Pr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WtfVs8FzWdTpKzexQbdzL4Pr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WtfVs8FzWdTpKzexQbdzL4Pr.exe

Loads dropped DLL 7 IoCs

Processes:

wAxV2xGR2jmHwwcdHzSTc4s0.tmprundll32.exeSpadille.exerundll32.exe9840432e051a6fa1192594db02b80a4c1fd73456.exe

pid	process
3856	wAxV2xGR2jmHwwcdHzSTc4s0.tmp
3856	wAxV2xGR2jmHwwcdHzSTc4s0.tmp
5876	rundll32.exe
5956	Spadille.exe
5956	Spadille.exe
5140	rundll32.exe
5424	9840432e051a6fa1192594db02b80a4c1fd73456.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Documents\WtfVs8FzWdTpKzexQbdzL4Pr.exe	themida
C:\Users\Admin\Documents\dkHdEuySOe03h7AqjzaT0Vy9.exe	themida
C:\Users\Admin\Documents\dkHdEuySOe03h7AqjzaT0Vy9.exe	themida
C:\Users\Admin\Documents\WtfVs8FzWdTpKzexQbdzL4Pr.exe	themida
behavioral7/memory/4036-312-0x0000000001000000-0x0000000001001000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4420888.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	4420888.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dkHdEuySOe03h7AqjzaT0Vy9.exeWtfVs8FzWdTpKzexQbdzL4Pr.exemd8_8eus.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dkHdEuySOe03h7AqjzaT0Vy9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WtfVs8FzWdTpKzexQbdzL4Pr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md8_8eus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

93 ipinfo.io
96 ipinfo.io
2 ipinfo.io
3 ip-api.com
28 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

dkHdEuySOe03h7AqjzaT0Vy9.exeWtfVs8FzWdTpKzexQbdzL4Pr.exe1962.exe

pid process

4036 dkHdEuySOe03h7AqjzaT0Vy9.exe
4224 WtfVs8FzWdTpKzexQbdzL4Pr.exe
1276 1962.exe
1276 1962.exe
1276 1962.exe
1276 1962.exe

flow	ioc
93	ipinfo.io
96	ipinfo.io
2	ipinfo.io
3	ip-api.com
28	ipinfo.io

pid	process
4036	dkHdEuySOe03h7AqjzaT0Vy9.exe
4224	WtfVs8FzWdTpKzexQbdzL4Pr.exe
1276	1962.exe
1276	1962.exe
1276	1962.exe
1276	1962.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

tunJqr2kv3i7JYxkXqi1mgOP.exe6QRqKELhpPYzrDZ846GoNiKK.execqdK9mPCWVHPtjoHS91deMYV.exeWGfzVN85f0IsKR_XWeRTWh1n.exeMU9BB84AEpJadrg6XVwAfGSD.exeSpadille.exeBayqOTB6ywe6b73BM4RPBL5Y.exeGky928l7EtoX3oEqejBa7mxO.exe

description	pid	process	target process
PID 3656 set thread context of 1588	3656	tunJqr2kv3i7JYxkXqi1mgOP.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
PID 1556 set thread context of 2176	1556	6QRqKELhpPYzrDZ846GoNiKK.exe	6QRqKELhpPYzrDZ846GoNiKK.exe
PID 4580 set thread context of 3232	4580	cqdK9mPCWVHPtjoHS91deMYV.exe	cqdK9mPCWVHPtjoHS91deMYV.exe
PID 3340 set thread context of 4108	3340	WGfzVN85f0IsKR_XWeRTWh1n.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
PID 3656 set thread context of 2988	3656	tunJqr2kv3i7JYxkXqi1mgOP.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
PID 1556 set thread context of 4536	1556	6QRqKELhpPYzrDZ846GoNiKK.exe	6QRqKELhpPYzrDZ846GoNiKK.exe
PID 3340 set thread context of 1980	3340	WGfzVN85f0IsKR_XWeRTWh1n.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
PID 3656 set thread context of 1896	3656	tunJqr2kv3i7JYxkXqi1mgOP.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
PID 1556 set thread context of 2464	1556	6QRqKELhpPYzrDZ846GoNiKK.exe	6QRqKELhpPYzrDZ846GoNiKK.exe
PID 3340 set thread context of 4256	3340	WGfzVN85f0IsKR_XWeRTWh1n.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
PID 1556 set thread context of 2072	1556	6QRqKELhpPYzrDZ846GoNiKK.exe	6QRqKELhpPYzrDZ846GoNiKK.exe
PID 3340 set thread context of 5252	3340	WGfzVN85f0IsKR_XWeRTWh1n.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
PID 3656 set thread context of 5492	3656	tunJqr2kv3i7JYxkXqi1mgOP.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
PID 3340 set thread context of 6092	3340	WGfzVN85f0IsKR_XWeRTWh1n.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
PID 3656 set thread context of 5196	3656	tunJqr2kv3i7JYxkXqi1mgOP.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
PID 1556 set thread context of 5912	1556	6QRqKELhpPYzrDZ846GoNiKK.exe	6QRqKELhpPYzrDZ846GoNiKK.exe
PID 4012 set thread context of 3216	4012	MU9BB84AEpJadrg6XVwAfGSD.exe	MU9BB84AEpJadrg6XVwAfGSD.exe
PID 3340 set thread context of 6116	3340	WGfzVN85f0IsKR_XWeRTWh1n.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
PID 3656 set thread context of 3128	3656	tunJqr2kv3i7JYxkXqi1mgOP.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
PID 1556 set thread context of 5568	1556	6QRqKELhpPYzrDZ846GoNiKK.exe	6QRqKELhpPYzrDZ846GoNiKK.exe
PID 5340 set thread context of 4572	5340	Spadille.exe	Spadille.exe
PID 3340 set thread context of 1956	3340	WGfzVN85f0IsKR_XWeRTWh1n.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
PID 3656 set thread context of 3104	3656	tunJqr2kv3i7JYxkXqi1mgOP.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
PID 1556 set thread context of 256	1556	6QRqKELhpPYzrDZ846GoNiKK.exe	6QRqKELhpPYzrDZ846GoNiKK.exe
PID 5340 set thread context of 5636	5340	Spadille.exe	Spadille.exe
PID 3340 set thread context of 2528	3340	WGfzVN85f0IsKR_XWeRTWh1n.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
PID 1556 set thread context of 6040	1556	6QRqKELhpPYzrDZ846GoNiKK.exe	6QRqKELhpPYzrDZ846GoNiKK.exe
PID 3656 set thread context of 6080	3656	tunJqr2kv3i7JYxkXqi1mgOP.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
PID 5340 set thread context of 2280	5340	Spadille.exe	Spadille.exe
PID 3340 set thread context of 2168	3340	WGfzVN85f0IsKR_XWeRTWh1n.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
PID 3656 set thread context of 5872	3656	tunJqr2kv3i7JYxkXqi1mgOP.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
PID 5340 set thread context of 5748	5340	Spadille.exe	Spadille.exe
PID 1556 set thread context of 1852	1556	6QRqKELhpPYzrDZ846GoNiKK.exe	6QRqKELhpPYzrDZ846GoNiKK.exe
PID 3272 set thread context of 5784	3272	BayqOTB6ywe6b73BM4RPBL5Y.exe	BayqOTB6ywe6b73BM4RPBL5Y.exe
PID 3656 set thread context of 1432	3656	tunJqr2kv3i7JYxkXqi1mgOP.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
PID 5340 set thread context of 2008	5340	Spadille.exe	Spadille.exe
PID 1556 set thread context of 868	1556	6QRqKELhpPYzrDZ846GoNiKK.exe	6QRqKELhpPYzrDZ846GoNiKK.exe
PID 3340 set thread context of 6004	3340	WGfzVN85f0IsKR_XWeRTWh1n.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
PID 3656 set thread context of 5176	3656	tunJqr2kv3i7JYxkXqi1mgOP.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
PID 3188 set thread context of 1096	3188	Gky928l7EtoX3oEqejBa7mxO.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
PID 3340 set thread context of 1824	3340	WGfzVN85f0IsKR_XWeRTWh1n.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
PID 3656 set thread context of 4684	3656	tunJqr2kv3i7JYxkXqi1mgOP.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
PID 1556 set thread context of 3020	1556	6QRqKELhpPYzrDZ846GoNiKK.exe	6QRqKELhpPYzrDZ846GoNiKK.exe
PID 5340 set thread context of 5820	5340	Spadille.exe	Spadille.exe
PID 3340 set thread context of 5096	3340	WGfzVN85f0IsKR_XWeRTWh1n.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
PID 3656 set thread context of 5740	3656	tunJqr2kv3i7JYxkXqi1mgOP.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
PID 1556 set thread context of 6324	1556	6QRqKELhpPYzrDZ846GoNiKK.exe	6QRqKELhpPYzrDZ846GoNiKK.exe
PID 5340 set thread context of 6392	5340	Spadille.exe	Spadille.exe
PID 3340 set thread context of 6572	3340	WGfzVN85f0IsKR_XWeRTWh1n.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
PID 3656 set thread context of 6640	3656	tunJqr2kv3i7JYxkXqi1mgOP.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
PID 1556 set thread context of 6732	1556	6QRqKELhpPYzrDZ846GoNiKK.exe	6QRqKELhpPYzrDZ846GoNiKK.exe
PID 5340 set thread context of 7004	5340	Spadille.exe	Spadille.exe
PID 3340 set thread context of 4436	3340	WGfzVN85f0IsKR_XWeRTWh1n.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
PID 3656 set thread context of 1172	3656	tunJqr2kv3i7JYxkXqi1mgOP.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
PID 1556 set thread context of 3364	1556	6QRqKELhpPYzrDZ846GoNiKK.exe	6QRqKELhpPYzrDZ846GoNiKK.exe
PID 5340 set thread context of 1820	5340	Spadille.exe	Spadille.exe
PID 3340 set thread context of 6796	3340	WGfzVN85f0IsKR_XWeRTWh1n.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
PID 3656 set thread context of 1344	3656	tunJqr2kv3i7JYxkXqi1mgOP.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
PID 5340 set thread context of 7044	5340	Spadille.exe	Spadille.exe
PID 3656 set thread context of 6192	3656	tunJqr2kv3i7JYxkXqi1mgOP.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
PID 1556 set thread context of 1612	1556	6QRqKELhpPYzrDZ846GoNiKK.exe	6QRqKELhpPYzrDZ846GoNiKK.exe
PID 3656 set thread context of 4864	3656	tunJqr2kv3i7JYxkXqi1mgOP.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
PID 1556 set thread context of 6940	1556	6QRqKELhpPYzrDZ846GoNiKK.exe	6QRqKELhpPYzrDZ846GoNiKK.exe
PID 3340 set thread context of 5412	3340	WGfzVN85f0IsKR_XWeRTWh1n.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe

Drops file in Program Files directory 18 IoCs

Processes:

UT1N41DU5oKDEHbmOiU_xsB0.exen3izj8NedK8WGX_Eah9ESj3X.exeMU9BB84AEpJadrg6XVwAfGSD.exemd8_8eus.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst1.exe	UT1N41DU5oKDEHbmOiU_xsB0.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	UT1N41DU5oKDEHbmOiU_xsB0.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	UT1N41DU5oKDEHbmOiU_xsB0.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	n3izj8NedK8WGX_Eah9ESj3X.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe	MU9BB84AEpJadrg6XVwAfGSD.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\stat.exe	MU9BB84AEpJadrg6XVwAfGSD.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\Uninstall.exe	MU9BB84AEpJadrg6XVwAfGSD.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	UT1N41DU5oKDEHbmOiU_xsB0.exe
File created	C:\Program Files (x86)\Company\NewProduct\tmp.edb	md8_8eus.exe
File created	C:\Program Files (x86)\Company\NewProduct\d.jfm	md8_8eus.exe
File created	C:\Program Files (x86)\Company\NewProduct\d	md8_8eus.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe	MU9BB84AEpJadrg6XVwAfGSD.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	n3izj8NedK8WGX_Eah9ESj3X.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d.jfm	md8_8eus.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	UT1N41DU5oKDEHbmOiU_xsB0.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d.INTEG.RAW	md8_8eus.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d	md8_8eus.exe
File created	C:\Program Files (x86)\SmartPDF\SmartPDF\Uninstall.ini	MU9BB84AEpJadrg6XVwAfGSD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 41 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
404	4844	WerFault.exe	qnRYwqmXI74VT8xw9sDQzviT.exe
504	2344	WerFault.exe	yEJwoui80rttZBX7MS_TSSij.exe
2464	4004	WerFault.exe	afTmfJHHm1an_D7frDg_SHE5.exe
652	5108	WerFault.exe	gzmoY803sa6AbaNcFGlQwfPi.exe
2972	4840	WerFault.exe	7NxLi8tgEzKv0b84vQsXm7H3.exe
3888	5876	WerFault.exe
5248	1208	WerFault.exe	4499510.exe
6272	1444	WerFault.exe	8102960.exe
6980	2276	WerFault.exe	B008.exe
4036	2880	WerFault.exe	explorer.exe
6668	5264	WerFault.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
5524	2880	WerFault.exe	Spadille.exe
4800	2948	WerFault.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
7836	6304	WerFault.exe	6QRqKELhpPYzrDZ846GoNiKK.exe
7864	7744	WerFault.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
5764	6384	WerFault.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
10044	9636	WerFault.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
7888	7804	WerFault.exe	Spadille.exe
10992	11128	WerFault.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
11856	10472	WerFault.exe	6QRqKELhpPYzrDZ846GoNiKK.exe
9128	9572	WerFault.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
12292	4676	WerFault.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
19184	18708	WerFault.exe	6QRqKELhpPYzrDZ846GoNiKK.exe
18604	18864	WerFault.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
15660	7744	WerFault.exe	Spadille.exe
19460	19752	WerFault.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
11036	23792	WerFault.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
12076	25268	WerFault.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
26028	25584	WerFault.exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
21224	16432	WerFault.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
25324	9728	WerFault.exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
14368	21332
28976	17284
29384	25344
26076	8044
29968	11732
30320	18652
16064	22752
17920	22064
16408	31188
31300	31956

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cqdK9mPCWVHPtjoHS91deMYV.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cqdK9mPCWVHPtjoHS91deMYV.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cqdK9mPCWVHPtjoHS91deMYV.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cqdK9mPCWVHPtjoHS91deMYV.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeSpadille.exeWerFault.exeWerFault.exe6QRqKELhpPYzrDZ846GoNiKK.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Spadille.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6QRqKELhpPYzrDZ846GoNiKK.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Spadille.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	6QRqKELhpPYzrDZ846GoNiKK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	Spadille.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	6QRqKELhpPYzrDZ846GoNiKK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	6QRqKELhpPYzrDZ846GoNiKK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1520 schtasks.exe
5020 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1552 timeout.exe

pid	process
1520	schtasks.exe
5020	schtasks.exe

pid	process
1552	timeout.exe

Enumerates system info in registry 2 TTPs 36 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe6QRqKELhpPYzrDZ846GoNiKK.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeSpadille.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	6QRqKELhpPYzrDZ846GoNiKK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Spadille.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	6QRqKELhpPYzrDZ846GoNiKK.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Spadille.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4856 taskkill.exe

pid	process
4856	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 4 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	94	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	106	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup (15).exe6QRqKELhpPYzrDZ846GoNiKK.exeWerFault.exeWerFault.execqdK9mPCWVHPtjoHS91deMYV.exeWerFault.exe

pid	process
4852	Setup (15).exe
4852	Setup (15).exe
2464	6QRqKELhpPYzrDZ846GoNiKK.exe
2464	6QRqKELhpPYzrDZ846GoNiKK.exe
504
504
404	WerFault.exe
404	WerFault.exe
652	WerFault.exe
652	WerFault.exe
3232	cqdK9mPCWVHPtjoHS91deMYV.exe
3232	cqdK9mPCWVHPtjoHS91deMYV.exe
2972	WerFault.exe
2972	WerFault.exe
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3208
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

cqdK9mPCWVHPtjoHS91deMYV.exe

pid process

3232 cqdK9mPCWVHPtjoHS91deMYV.exe
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208

pid	process
3208

pid	process
3232	cqdK9mPCWVHPtjoHS91deMYV.exe
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208
3208

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2554063.exeJilih0KhxJuA19M9pWYJCMYV.exe6QRqKELhpPYzrDZ846GoNiKK.exeWerFault.exeSpadille.exeVxcrRjNIAk97NI6_Vck1Prp5.exetaskkill.exeSpadille.exeWerFault.exeWtfVs8FzWdTpKzexQbdzL4Pr.exe

description	pid	process
Token: SeDebugPrivilege	3092	2554063.exe
Token: SeDebugPrivilege	2004	Jilih0KhxJuA19M9pWYJCMYV.exe
Token: SeRestorePrivilege	2464	6QRqKELhpPYzrDZ846GoNiKK.exe
Token: SeBackupPrivilege	2464	6QRqKELhpPYzrDZ846GoNiKK.exe
Token: SeRestorePrivilege	504
Token: SeBackupPrivilege	504
Token: SeRestorePrivilege	404	WerFault.exe
Token: SeBackupPrivilege	404	WerFault.exe
Token: SeDebugPrivilege	1208	Spadille.exe
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeDebugPrivilege	4188	VxcrRjNIAk97NI6_Vck1Prp5.exe
Token: SeDebugPrivilege	4856	taskkill.exe
Token: SeDebugPrivilege	1444	Spadille.exe
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeDebugPrivilege	4036	WerFault.exe
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208
Token: SeDebugPrivilege	4224	WtfVs8FzWdTpKzexQbdzL4Pr.exe
Token: SeShutdownPrivilege	3208
Token: SeCreatePagefilePrivilege	3208

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

wAxV2xGR2jmHwwcdHzSTc4s0.tmp

pid process

3856 wAxV2xGR2jmHwwcdHzSTc4s0.tmp
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Spadille.exe1962.exe

pid process

5584 Spadille.exe
1276 1962.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3208

pid	process
5584	Spadille.exe
1276	1962.exe

pid	process
3208

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup (15).exelOtBRW8MYEPvU0x8FwVebuUJ.exe

description	pid	process	target process
PID 4852 wrote to memory of 5108	4852	Setup (15).exe	gzmoY803sa6AbaNcFGlQwfPi.exe
PID 4852 wrote to memory of 5108	4852	Setup (15).exe	gzmoY803sa6AbaNcFGlQwfPi.exe
PID 4852 wrote to memory of 5108	4852	Setup (15).exe	gzmoY803sa6AbaNcFGlQwfPi.exe
PID 4852 wrote to memory of 2344	4852	Setup (15).exe	yEJwoui80rttZBX7MS_TSSij.exe
PID 4852 wrote to memory of 2344	4852	Setup (15).exe	yEJwoui80rttZBX7MS_TSSij.exe
PID 4852 wrote to memory of 2344	4852	Setup (15).exe	yEJwoui80rttZBX7MS_TSSij.exe
PID 4852 wrote to memory of 4580	4852	Setup (15).exe	cqdK9mPCWVHPtjoHS91deMYV.exe
PID 4852 wrote to memory of 4580	4852	Setup (15).exe	cqdK9mPCWVHPtjoHS91deMYV.exe
PID 4852 wrote to memory of 4580	4852	Setup (15).exe	cqdK9mPCWVHPtjoHS91deMYV.exe
PID 4852 wrote to memory of 3340	4852	Setup (15).exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
PID 4852 wrote to memory of 3340	4852	Setup (15).exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
PID 4852 wrote to memory of 3340	4852	Setup (15).exe	WGfzVN85f0IsKR_XWeRTWh1n.exe
PID 4852 wrote to memory of 3188	4852	Setup (15).exe	Gky928l7EtoX3oEqejBa7mxO.exe
PID 4852 wrote to memory of 3188	4852	Setup (15).exe	Gky928l7EtoX3oEqejBa7mxO.exe
PID 4852 wrote to memory of 3188	4852	Setup (15).exe	Gky928l7EtoX3oEqejBa7mxO.exe
PID 4852 wrote to memory of 3092	4852	Setup (15).exe	k3H1zcypdzdTk2_HIheW4Z_6.exe
PID 4852 wrote to memory of 3092	4852	Setup (15).exe	k3H1zcypdzdTk2_HIheW4Z_6.exe
PID 4852 wrote to memory of 4840	4852	Setup (15).exe	7NxLi8tgEzKv0b84vQsXm7H3.exe
PID 4852 wrote to memory of 4840	4852	Setup (15).exe	7NxLi8tgEzKv0b84vQsXm7H3.exe
PID 4852 wrote to memory of 4840	4852	Setup (15).exe	7NxLi8tgEzKv0b84vQsXm7H3.exe
PID 4852 wrote to memory of 4188	4852	Setup (15).exe	VxcrRjNIAk97NI6_Vck1Prp5.exe
PID 4852 wrote to memory of 4188	4852	Setup (15).exe	VxcrRjNIAk97NI6_Vck1Prp5.exe
PID 4852 wrote to memory of 4188	4852	Setup (15).exe	VxcrRjNIAk97NI6_Vck1Prp5.exe
PID 4852 wrote to memory of 4844	4852	Setup (15).exe	qnRYwqmXI74VT8xw9sDQzviT.exe
PID 4852 wrote to memory of 4844	4852	Setup (15).exe	qnRYwqmXI74VT8xw9sDQzviT.exe
PID 4852 wrote to memory of 4844	4852	Setup (15).exe	qnRYwqmXI74VT8xw9sDQzviT.exe
PID 4852 wrote to memory of 3656	4852	Setup (15).exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
PID 4852 wrote to memory of 3656	4852	Setup (15).exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
PID 4852 wrote to memory of 3656	4852	Setup (15).exe	tunJqr2kv3i7JYxkXqi1mgOP.exe
PID 4852 wrote to memory of 4036	4852	Setup (15).exe	dkHdEuySOe03h7AqjzaT0Vy9.exe
PID 4852 wrote to memory of 4036	4852	Setup (15).exe	dkHdEuySOe03h7AqjzaT0Vy9.exe
PID 4852 wrote to memory of 4036	4852	Setup (15).exe	dkHdEuySOe03h7AqjzaT0Vy9.exe
PID 4852 wrote to memory of 4224	4852	Setup (15).exe	WtfVs8FzWdTpKzexQbdzL4Pr.exe
PID 4852 wrote to memory of 4224	4852	Setup (15).exe	WtfVs8FzWdTpKzexQbdzL4Pr.exe
PID 4852 wrote to memory of 4224	4852	Setup (15).exe	WtfVs8FzWdTpKzexQbdzL4Pr.exe
PID 4852 wrote to memory of 4004	4852	Setup (15).exe	afTmfJHHm1an_D7frDg_SHE5.exe
PID 4852 wrote to memory of 4004	4852	Setup (15).exe	afTmfJHHm1an_D7frDg_SHE5.exe
PID 4852 wrote to memory of 4004	4852	Setup (15).exe	afTmfJHHm1an_D7frDg_SHE5.exe
PID 4852 wrote to memory of 4012	4852	Setup (15).exe	MU9BB84AEpJadrg6XVwAfGSD.exe
PID 4852 wrote to memory of 4012	4852	Setup (15).exe	MU9BB84AEpJadrg6XVwAfGSD.exe
PID 4852 wrote to memory of 4012	4852	Setup (15).exe	MU9BB84AEpJadrg6XVwAfGSD.exe
PID 4852 wrote to memory of 3272	4852	Setup (15).exe	BayqOTB6ywe6b73BM4RPBL5Y.exe
PID 4852 wrote to memory of 3272	4852	Setup (15).exe	BayqOTB6ywe6b73BM4RPBL5Y.exe
PID 4852 wrote to memory of 3272	4852	Setup (15).exe	BayqOTB6ywe6b73BM4RPBL5Y.exe
PID 4852 wrote to memory of 3148	4852	Setup (15).exe	FQ_l6Tp2UYASTgLE2eX2iH7S.exe
PID 4852 wrote to memory of 3148	4852	Setup (15).exe	FQ_l6Tp2UYASTgLE2eX2iH7S.exe
PID 4852 wrote to memory of 592	4852	Setup (15).exe	UT1N41DU5oKDEHbmOiU_xsB0.exe
PID 4852 wrote to memory of 592	4852	Setup (15).exe	UT1N41DU5oKDEHbmOiU_xsB0.exe
PID 4852 wrote to memory of 592	4852	Setup (15).exe	UT1N41DU5oKDEHbmOiU_xsB0.exe
PID 4852 wrote to memory of 1556	4852	Setup (15).exe	6QRqKELhpPYzrDZ846GoNiKK.exe
PID 4852 wrote to memory of 1556	4852	Setup (15).exe	6QRqKELhpPYzrDZ846GoNiKK.exe
PID 4852 wrote to memory of 1556	4852	Setup (15).exe	6QRqKELhpPYzrDZ846GoNiKK.exe
PID 4852 wrote to memory of 1676	4852	Setup (15).exe	n3izj8NedK8WGX_Eah9ESj3X.exe
PID 4852 wrote to memory of 1676	4852	Setup (15).exe	n3izj8NedK8WGX_Eah9ESj3X.exe
PID 4852 wrote to memory of 1676	4852	Setup (15).exe	n3izj8NedK8WGX_Eah9ESj3X.exe
PID 4852 wrote to memory of 1640	4852	Setup (15).exe	lOtBRW8MYEPvU0x8FwVebuUJ.exe
PID 4852 wrote to memory of 1640	4852	Setup (15).exe	lOtBRW8MYEPvU0x8FwVebuUJ.exe
PID 4852 wrote to memory of 1640	4852	Setup (15).exe	lOtBRW8MYEPvU0x8FwVebuUJ.exe
PID 4852 wrote to memory of 1748	4852	Setup (15).exe	luaS8H_XAvsVqPzQJEMuKMqZ.exe
PID 4852 wrote to memory of 1748	4852	Setup (15).exe	luaS8H_XAvsVqPzQJEMuKMqZ.exe
PID 4852 wrote to memory of 1748	4852	Setup (15).exe	luaS8H_XAvsVqPzQJEMuKMqZ.exe
PID 4852 wrote to memory of 2004	4852	Setup (15).exe	Jilih0KhxJuA19M9pWYJCMYV.exe
PID 4852 wrote to memory of 2004	4852	Setup (15).exe	Jilih0KhxJuA19M9pWYJCMYV.exe
PID 1640 wrote to memory of 2696	1640	lOtBRW8MYEPvU0x8FwVebuUJ.exe	mshta.exe

C:\Users\Admin\AppData\Local\Temp\Setup (15).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (15).exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4852

C:\Users\Admin\Documents\cqdK9mPCWVHPtjoHS91deMYV.exe
"C:\Users\Admin\Documents\cqdK9mPCWVHPtjoHS91deMYV.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4580

C:\Users\Admin\Documents\cqdK9mPCWVHPtjoHS91deMYV.exe
"C:\Users\Admin\Documents\cqdK9mPCWVHPtjoHS91deMYV.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3232

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
"C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3340

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
- Executes dropped EXE
PID:2488

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
- Executes dropped EXE
PID:4108

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
- Executes dropped EXE
PID:1980

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
- Executes dropped EXE
PID:4256

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
- Executes dropped EXE
PID:5252

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
- Executes dropped EXE
PID:6092

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
- Executes dropped EXE
PID:6116

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:1956

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:2528

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:2168

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:5148

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:6004

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:1824

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:5096

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:6572

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:4436

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:6796

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
- Executes dropped EXE
PID:812

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:5412

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:6740

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:5264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5264 -s 28
4⤵
- Program crash
PID:6668

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:1644

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:2092

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:4284

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:2736

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:4512

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:1212

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:1096

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:3356

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:3000

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:4304

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:2124

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:3544

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:6540

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:4696

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:5692

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:6936

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:1428

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:1640

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:4176

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:4316

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:7432

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:7732

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:7992

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:6880

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:5332

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:2732

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:7872

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:7908

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:6600

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:2192

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:6244

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:4900

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:988

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:6888

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:5452

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:7920

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:7092

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:5664

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:5304

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:680

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:5448

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:3936

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:6028

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:4084

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:6288

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:3220

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:6304

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:7676

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:6360

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:8424

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:8704

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:8912

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:8224

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:8620

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:8948

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:8228

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:2476

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:1500

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:8348

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:5616

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:4820

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:7220

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:5916

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:7744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7744 -s 28
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:7864

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:4848

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:8028

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:6384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6384 -s 28
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5764

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:7736

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:3572

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:6584

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:4224

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:8400

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:4612

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:9240

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:9460

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:9888

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:4612

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:9928

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:7728

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:5724

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:9832

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:5100

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:1736

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:9352

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:8716

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:9200

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:5452

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:4160

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:10276

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:10760

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:11224

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:10740

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:11204

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:11128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 11128 -s 28
4⤵
- Program crash
PID:10992

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:6384

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:2236

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:10144

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:10568

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:10440

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:8632

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:6924

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:3680

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:11892

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:10512

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:12200

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:4336

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:11616

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:9772

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:9440

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:12708

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:13272

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:13004

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:7500

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:13560

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:14196

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:12528

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:14100

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:14700

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:9572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9572 -s 28
4⤵
- Program crash
PID:9128

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:14124

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:15404

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:15912

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:14320

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 28
4⤵
- Program crash
PID:12292

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:10752

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:16080

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:16136

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:17144

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:7280

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:5892

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:16972

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:11736

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:11448

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:1104

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:13284

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:10496

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:17764

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:18220

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:9472

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:15284

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:14592

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:18188

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:16348

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:18864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 18864 -s 28
4⤵
- Program crash
PID:18604

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:10852

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:6108

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:19124

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:11864

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:13984

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:19752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 19752 -s 28
4⤵
- Program crash
PID:19460

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:20312

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:20576

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:20768

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:21248

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:21328

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:16788

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:22200

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:13860

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:21532

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:9936

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:23040

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:21948

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:22532

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:22128

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:16904

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:12292

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:12484

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:18684

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:15660

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:24336

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:23792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 23792 -s 28
4⤵
- Program crash
PID:11036

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:8244

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:17644

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:19224

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:24728

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:14432

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:25268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 25268 -s 28
4⤵
- Program crash
PID:12076

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:24124

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:21388

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:26456

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:21324

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:21604

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:25584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 25584 -s 28
4⤵
- Program crash
PID:26028

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:26060

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:26556

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:14024

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:12404

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:26776

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:27472

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:23608

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:27664

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:27156

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:28600

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:9080

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:16824

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:28312

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:12160

C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe
3⤵
PID:15384

C:\Users\Admin\Documents\yEJwoui80rttZBX7MS_TSSij.exe
"C:\Users\Admin\Documents\yEJwoui80rttZBX7MS_TSSij.exe"
2⤵
- Executes dropped EXE
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 276
3⤵
- Program crash
PID:504

C:\Users\Admin\Documents\gzmoY803sa6AbaNcFGlQwfPi.exe
"C:\Users\Admin\Documents\gzmoY803sa6AbaNcFGlQwfPi.exe"
2⤵
- Executes dropped EXE
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 276
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:652

C:\Users\Admin\Documents\7NxLi8tgEzKv0b84vQsXm7H3.exe
"C:\Users\Admin\Documents\7NxLi8tgEzKv0b84vQsXm7H3.exe"
2⤵
- Executes dropped EXE
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 236
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2972

C:\Users\Admin\Documents\qnRYwqmXI74VT8xw9sDQzviT.exe
"C:\Users\Admin\Documents\qnRYwqmXI74VT8xw9sDQzviT.exe"
2⤵
- Executes dropped EXE
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 280
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Users\Admin\Documents\VxcrRjNIAk97NI6_Vck1Prp5.exe
"C:\Users\Admin\Documents\VxcrRjNIAk97NI6_Vck1Prp5.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Users\Admin\Documents\k3H1zcypdzdTk2_HIheW4Z_6.exe
"C:\Users\Admin\Documents\k3H1zcypdzdTk2_HIheW4Z_6.exe"
2⤵
- Executes dropped EXE
PID:3092

C:\Users\Admin\Documents\Gky928l7EtoX3oEqejBa7mxO.exe
"C:\Users\Admin\Documents\Gky928l7EtoX3oEqejBa7mxO.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3188

C:\Users\Admin\Documents\Gky928l7EtoX3oEqejBa7mxO.exe
"C:\Users\Admin\Documents\Gky928l7EtoX3oEqejBa7mxO.exe"
3⤵
PID:5584

C:\Users\Admin\Documents\Gky928l7EtoX3oEqejBa7mxO.exe
"C:\Users\Admin\Documents\Gky928l7EtoX3oEqejBa7mxO.exe"
3⤵
PID:1096

C:\Users\Admin\Documents\WtfVs8FzWdTpKzexQbdzL4Pr.exe
"C:\Users\Admin\Documents\WtfVs8FzWdTpKzexQbdzL4Pr.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Users\Admin\Documents\dkHdEuySOe03h7AqjzaT0Vy9.exe
"C:\Users\Admin\Documents\dkHdEuySOe03h7AqjzaT0Vy9.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4036

C:\Users\Admin\Documents\afTmfJHHm1an_D7frDg_SHE5.exe
"C:\Users\Admin\Documents\afTmfJHHm1an_D7frDg_SHE5.exe"
2⤵
- Executes dropped EXE
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 296
3⤵
- Program crash
PID:2464

C:\Users\Admin\Documents\MU9BB84AEpJadrg6XVwAfGSD.exe
"C:\Users\Admin\Documents\MU9BB84AEpJadrg6XVwAfGSD.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4012

C:\Users\Admin\Documents\MU9BB84AEpJadrg6XVwAfGSD.exe
"C:\Users\Admin\Documents\MU9BB84AEpJadrg6XVwAfGSD.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3216

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
"C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3656

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
- Executes dropped EXE
PID:1588

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
- Executes dropped EXE
PID:2988

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
- Executes dropped EXE
PID:1896

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
- Executes dropped EXE
PID:1684

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
- Executes dropped EXE
PID:5196

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
- Executes dropped EXE
PID:5492

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
- Executes dropped EXE
PID:3128

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:3104

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:6080

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:5872

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:1432

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:5176

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:4684

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:5740

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:6640

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:1172

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:1344

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:6192

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:4864

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:1064

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:824

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:4052

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:1180

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6620

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:6240

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:4708

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:6268

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:940

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:5200

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:3160

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:4320

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:500

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:2660

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:6436

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:6184

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:5792

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:2316

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:5976

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:3240

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:5548

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:5604

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:7328

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:7592

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:7840

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:8096

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:7352

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:7552

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:3936

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:8036

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:7204

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:5372

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:4856

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:3496

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:2704

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:2612

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:7196

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:1936

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:3204

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:6320

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:4284

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:6536

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:4916

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 28
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4800

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:5392

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:1448

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:5760

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:1512

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:3296

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:3992

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:5192

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:8252

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:8568

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:8820

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:9060

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:4696

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:8156

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:9116

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:7224

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:5356

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:9088

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:3788

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:8224

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:9208

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:4992

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:6728

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:7968

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:9168

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:1100

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:5708

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:1756

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:7772

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:6528

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:8816

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:9056

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:7940

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:9272

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:9636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9636 -s 28
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:10044

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:10008

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:9016

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:4048

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:9588

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:9596

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:10124

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:740

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:8216

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:2892

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:5184

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:8724

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:9356

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:7868

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:10368

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:10816

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:9096

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:10976

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:10488

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:11172

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:2244

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:9864

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:10572

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:8544

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:10848

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:9824

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:8248

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:11796

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:9348

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:12012

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:12072

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:8652

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:9960

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:11672

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:12616

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:13036

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:12736

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:6044

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:13320

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:13924

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:13440

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:13796

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:14232

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:15228

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:14884

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:8108

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:15592

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:16156

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:15968

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:16376

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:10112

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:11628

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:16124

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:16916

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:12164

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:8200

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:17376

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:2752

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:14496

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:7120

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:11024

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:17276

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:11772

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:17900

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:13104

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:10196

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:8892

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:17908

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:9280

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:19052

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:12244

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:17536

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:14376

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:15648

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:2312

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:20232

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:19884

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:20000

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:20836

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:21408

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:20892

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:21132

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:18308

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:21928

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:21912

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:10924

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:10944

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:22896

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:5552

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:23528

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:18044

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:19504

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:18884

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:22532

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:20584

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:15728

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:24016

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:21860

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:24008

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:20260

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:11728

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:16144

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:20092

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:24684

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:13648

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:25060

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:10532

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:22480

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:26384

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:24140

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:11916

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:10332

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:25364

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:16432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 16432 -s 28
4⤵
- Program crash
PID:21224

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:24252

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:24204

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:25220

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:27452

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:20572

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:9728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9728 -s 28
4⤵
- Program crash
PID:25324

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:28016

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:26696

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:27748

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:22164

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:27852

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:14616

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:25208

C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe
3⤵
PID:12756

C:\Users\Admin\Documents\BayqOTB6ywe6b73BM4RPBL5Y.exe
"C:\Users\Admin\Documents\BayqOTB6ywe6b73BM4RPBL5Y.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3272

C:\Users\Admin\Documents\BayqOTB6ywe6b73BM4RPBL5Y.exe
"C:\Users\Admin\Documents\BayqOTB6ywe6b73BM4RPBL5Y.exe"
3⤵
PID:5784

C:\Users\Admin\Documents\FQ_l6Tp2UYASTgLE2eX2iH7S.exe
"C:\Users\Admin\Documents\FQ_l6Tp2UYASTgLE2eX2iH7S.exe"
2⤵
- Executes dropped EXE
PID:3148

C:\Users\Admin\Documents\UT1N41DU5oKDEHbmOiU_xsB0.exe
"C:\Users\Admin\Documents\UT1N41DU5oKDEHbmOiU_xsB0.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:592

C:\Program Files (x86)\Company\NewProduct\inst1.exe
"C:\Program Files (x86)\Company\NewProduct\inst1.exe"
3⤵
- Executes dropped EXE
PID:4684

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
PID:2244

C:\Program Files (x86)\Company\NewProduct\cutm3.exe
"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
3⤵
- Executes dropped EXE
PID:2896

C:\Users\Admin\Documents\Jilih0KhxJuA19M9pWYJCMYV.exe
"C:\Users\Admin\Documents\Jilih0KhxJuA19M9pWYJCMYV.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Users\Admin\AppData\Roaming\4420888.exe
"C:\Users\Admin\AppData\Roaming\4420888.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1232

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
4⤵
- Executes dropped EXE
PID:5696

C:\Users\Admin\AppData\Roaming\4499510.exe
"C:\Users\Admin\AppData\Roaming\4499510.exe"
3⤵
PID:1208

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1208 -s 2124
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5248

C:\Users\Admin\AppData\Roaming\1551075.exe
"C:\Users\Admin\AppData\Roaming\1551075.exe"
3⤵
- Executes dropped EXE
PID:3616

C:\Users\Admin\AppData\Roaming\2554063.exe
"C:\Users\Admin\AppData\Roaming\2554063.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Users\Admin\AppData\Roaming\8102960.exe
"C:\Users\Admin\AppData\Roaming\8102960.exe"
3⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 2452
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6272

C:\Users\Admin\Documents\luaS8H_XAvsVqPzQJEMuKMqZ.exe
"C:\Users\Admin\Documents\luaS8H_XAvsVqPzQJEMuKMqZ.exe"
2⤵
- Executes dropped EXE
PID:1748

C:\Users\Admin\Documents\luaS8H_XAvsVqPzQJEMuKMqZ.exe
"C:\Users\Admin\Documents\luaS8H_XAvsVqPzQJEMuKMqZ.exe" -u
3⤵
- Executes dropped EXE
PID:2116

C:\Users\Admin\Documents\lOtBRW8MYEPvU0x8FwVebuUJ.exe
"C:\Users\Admin\Documents\lOtBRW8MYEPvU0x8FwVebuUJ.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCrIPt: cLOSe( CREAteobjecT ("wScRiPT.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /C tYpe ""C:\Users\Admin\Documents\lOtBRW8MYEPvU0x8FwVebuUJ.exe"" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi & if """"== """" for %m in ( ""C:\Users\Admin\Documents\lOtBRW8MYEPvU0x8FwVebuUJ.exe"" ) do taskkill /iM ""%~NXm"" -F" ,0 , TRUE ))
3⤵
PID:2696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C tYpe "C:\Users\Admin\Documents\lOtBRW8MYEPvU0x8FwVebuUJ.exe" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi& if ""== "" for %m in ("C:\Users\Admin\Documents\lOtBRW8MYEPvU0x8FwVebuUJ.exe" ) do taskkill /iM "%~NXm" -F
4⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE
IQ0v_FE_.ExE -poRsuYEMryiLi
5⤵
- Executes dropped EXE
PID:1560

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCrIPt: cLOSe( CREAteobjecT ("wScRiPT.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /C tYpe ""C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE"" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi & if ""-poRsuYEMryiLi""== """" for %m in ( ""C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE"" ) do taskkill /iM ""%~NXm"" -F" ,0 , TRUE ))
6⤵
PID:3608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C tYpe "C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi& if "-poRsuYEMryiLi"== "" for %m in ("C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE" ) do taskkill /iM "%~NXm" -F
7⤵
PID:5152

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" VHTDDahA.G,XBvVyh
6⤵
- Loads dropped DLL
PID:5140

C:\Windows\SysWOW64\taskkill.exe
taskkill /iM "lOtBRW8MYEPvU0x8FwVebuUJ.exe" -F
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Users\Admin\Documents\n3izj8NedK8WGX_Eah9ESj3X.exe
"C:\Users\Admin\Documents\n3izj8NedK8WGX_Eah9ESj3X.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1676

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:5020

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:1520

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
"C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1556

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
- Executes dropped EXE
PID:2176

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
- Executes dropped EXE
PID:4536

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
- Executes dropped EXE
PID:2072

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
- Executes dropped EXE
PID:5684

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:812

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
- Executes dropped EXE
PID:5912

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:5568

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:256

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:6040

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:1512

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:1852

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:868

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:1224

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:3020

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:6324

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:6732

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:3364

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:6816

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:1612

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:6940

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:6608

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:6088

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:5652

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:7164

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:5296

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:2240

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:592

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:2552

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:7088

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:6308

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:7120

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:3860

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:4160

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:5284

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:6624

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:5688

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:1944

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:1296

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:3120

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:5260

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:5460

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:6444

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:7388

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:7636

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:7904

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:8144

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:4164

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:7568

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:7792

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:8072

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:5224

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:5528

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:7924

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:6568

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:7040

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:1152

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:7412

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:7808

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:5404

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:6904

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:484

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:1176

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:5500

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:2096

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:6304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6304 -s 28
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:7836

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:2808

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:4768

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:6012

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:3096

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:5896

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:3096

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:8312

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:8628

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:8876

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:9120

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:8476

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:6672

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:9200

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:7280

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:5164

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:9188

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:8556

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:3108

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:5336

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:7752

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:9032

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:8040

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:8296

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:7180

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:6264

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:6452

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:7820

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:3616

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:1120

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:8588

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:8504

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:9360

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:9696

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:10084

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:6356

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:5684

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:4856

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:9536

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:2216

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:9656

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:3636

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:9620

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:2228

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:5160

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:7756

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:7956

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:10560

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:11008

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:10408

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:11060

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:3644

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:2236

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:9616

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:9828

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:10168

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:10352

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:10972

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:8872

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:11420

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:12016

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:10472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10472 -s 28
4⤵
- Program crash
PID:11856

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:12272

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:12268

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:10552

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:460

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:8080

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:12600

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:12952

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:9324

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:9096

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:11060

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:13704

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:14288

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:13540

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:11104

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:14952

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:14968

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:9144

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:15548

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:16176

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:15092

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:9540

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:13044

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:10640

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:9596

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:16884

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:2552

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:8976

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:12060

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:664

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:12508

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:4076

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:8212

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:11256

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:14632

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:17680

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:18316

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:17928

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:13088

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:18276

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:14400

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:14548

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:18708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 18708 -s 28
4⤵
- Program crash
PID:19184

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:19408

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:19212

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:15208

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:3220

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:19732

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:18744

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:19032

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:20636

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:20568

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:20300

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:19816

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:19276

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:22324

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:3712

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:10444

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:19012

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:23288

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:22460

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:19856

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:23448

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:23376

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:12928

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:20100

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:17864

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:13240

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:23656

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:24448

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:11576

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:17932

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:19760

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:23672

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:25328

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:24700

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:11520

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:21860

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:25768

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:22204

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:26568

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:22552

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:21920

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:21136

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:13636

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:24796

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:25620

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:26816

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:27596

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:27264

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:27172

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:28336

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:12568

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:28632

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:26160

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:25872

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:25604

C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe
3⤵
PID:22084

C:\Users\Admin\Documents\wAxV2xGR2jmHwwcdHzSTc4s0.exe
"C:\Users\Admin\Documents\wAxV2xGR2jmHwwcdHzSTc4s0.exe"
2⤵
- Executes dropped EXE
PID:3132

C:\Users\Admin\AppData\Local\Temp\is-BJD87.tmp\wAxV2xGR2jmHwwcdHzSTc4s0.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BJD87.tmp\wAxV2xGR2jmHwwcdHzSTc4s0.tmp" /SL5="$20230,138429,56832,C:\Users\Admin\Documents\wAxV2xGR2jmHwwcdHzSTc4s0.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:3856

C:\Users\Admin\AppData\Local\Temp\is-T3GLA.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-T3GLA.tmp\Setup.exe" /Verysilent
4⤵
PID:3216

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5340

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
- Executes dropped EXE
PID:5348

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:4572

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5636

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:2280

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5748

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:2008

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:4024

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5820

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6392

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7004

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:1820

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7044

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6228

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6860

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 28
7⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5524

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:4092

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:3968

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5956

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:6668

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6024

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:3904

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5468

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:1808

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7144

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5584

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:4932

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:3416

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:924

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6784

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6372

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:4640

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:2532

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5752

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7260

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7520

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7764

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8008

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:1204

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7464

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:1804

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7960

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5592

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5816

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:3424

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6780

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5864

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:2320

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:4880

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:2432

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:4680

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:4636

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7784

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7400

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:2056

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:1712

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7656

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:1176

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8108

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:2112

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5316

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:4632

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6424

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7548

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8508

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8740

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8980

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5564

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8656

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9008

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8376

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8792

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8932

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8520

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8844

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7928

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7416

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7668

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:1560

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7928

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:956

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5148

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6448

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:4104

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6716

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6256

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:4244

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7188

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9248

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9480

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9896

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8080

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9796

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8964

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:10180

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9944

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8692

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7804 -s 28
7⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:7888

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:10132

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9344

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5744

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9352

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8472

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9748

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:10700

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11108

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6384

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7036

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8676

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5476

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7460

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:3228

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6400

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:10500

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7712

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:10440

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11544

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:12080

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:8736

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5316

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:12236

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7288

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11312

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:12308

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:12796

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:1932

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:10192

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:6824

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:13588

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:13152

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:13868

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:14824

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:14052

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:4244

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:15416

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:15988

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:3628

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:16124

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:12364

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:14128

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:10716

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:16820

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:17228

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:16584

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:17060

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9268

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:5016

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:12216

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:10400

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:12968

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:17860

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:18416

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:14996

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:18376

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:14868

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9368

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:18384

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:18524

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:19344

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:7744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7744 -s 28
7⤵
- Program crash
PID:15660

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:16368

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11876

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:19164

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:20408

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9160

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:19692

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:21436

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:14512

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:17180

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:17216

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:12648

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:22496

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:22152

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:20192

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:22644

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:23368

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:22604

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:12464

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:18456

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:1292

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:23236

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:15692

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:17468

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:13396

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:23924

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:17616

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:24084

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11592

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:14900

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:20260

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:25288

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:17648

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:16468

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:25348

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:25968

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:25888

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:22216

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:26588

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:24168

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:21036

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:11924

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:26352

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:25276

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:12496

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:27292

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:26612

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:21256

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:26108

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:28476

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:27932

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:28092

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:28324

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:20228

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:27212

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:20764

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:9676

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:23484

C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
6⤵
PID:20876

C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5424

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe"
6⤵
PID:1176

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
7⤵
- Delays execution with timeout.exe
PID:1552

C:\Program Files (x86)\SmartPDF\SmartPDF\stat.exe
"C:\Program Files (x86)\SmartPDF\SmartPDF\stat.exe" /Verysilent
5⤵
PID:5584

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv DX0yuIITjkWVYWQJLns2uA.0.2
1⤵
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4844 -ip 4844
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4004 -ip 4004
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2344 -ip 2344
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5108 -ip 5108
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4840 -ip 4840
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1480

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5824

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:5876

C:\Users\Admin\AppData\Local\Temp\is-7AJB9.tmp\stat.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7AJB9.tmp\stat.tmp" /SL5="$2027C,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stat.exe" /Verysilent
1⤵
PID:5956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5876 -ip 5876
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 452
1⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3888

C:\Users\Admin\AppData\Local\Temp\AB83.exe
C:\Users\Admin\AppData\Local\Temp\AB83.exe
1⤵
PID:5584

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 1208 -ip 1208
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5960

C:\Users\Admin\AppData\Local\Temp\B008.exe
C:\Users\Admin\AppData\Local\Temp\B008.exe
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 240
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 1444 -ip 1444
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2276 -ip 2276
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6720

C:\Users\Admin\AppData\Local\Temp\1962.exe
C:\Users\Admin\AppData\Local\Temp\1962.exe
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1276

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 872
2⤵
- Checks BIOS information in registry
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2880 -ip 2880
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2364

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7068

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4352

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6376

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5228

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4720

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6816

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 5264 -ip 5264
1⤵
PID:6620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2880 -ip 2880
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2948 -ip 2948
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 6304 -ip 6304
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 7744 -ip 7744
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6384 -ip 6384
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 9636 -ip 9636
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:10016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 7804 -ip 7804
1⤵
PID:10112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 11128 -ip 11128
1⤵
PID:7292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 10472 -ip 10472
1⤵
PID:12232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 9572 -ip 9572
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4676 -ip 4676
1⤵
PID:12440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 18708 -ip 18708
1⤵
PID:18392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 18864 -ip 18864
1⤵
PID:18672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 7744 -ip 7744
1⤵
PID:13676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 19124 -ip 19124
1⤵
PID:17400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 19752 -ip 19752
1⤵
PID:19516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 23368 -ip 23368
1⤵
PID:22688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 15660 -ip 15660
1⤵
PID:24328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 23792 -ip 23792
1⤵
PID:7796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 25268 -ip 25268
1⤵
PID:23720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 25584 -ip 25584
1⤵
PID:19588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 16432 -ip 16432
1⤵
PID:15280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 9728 -ip 9728
1⤵
PID:28216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\cutm3.exe

MD5
7714deedb24c3dcfa81dc660dd383492

SHA1
56fae3ab1186009430e175c73b914c77ed714cc0

SHA256
435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c

SHA512
2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58

Download Submit
C:\Program Files (x86)\Company\NewProduct\cutm3.exe

MD5
7714deedb24c3dcfa81dc660dd383492

SHA1
56fae3ab1186009430e175c73b914c77ed714cc0

SHA256
435badbad2fc138245a4771a74ebb9075658e294d1bcfcf191ccea466eea825c

SHA512
2cf05ac9470ab4e6d487ec9e4d7ab36fb2c8ce1405dba01b58934778829c7c4db703818087e0c5fbffe6cf821dfa190427e1205530409359ace2ad416e781c58

Download Submit
C:\Program Files (x86)\Company\NewProduct\inst1.exe

MD5
c06d807e7287add5d460530e3d87648c

SHA1
d288550f1e35ba9406886906920f1afe7c965f71

SHA256
d5855e6292d04c6ab247c1b550168cde3d4a73831ed792cf15c1d0c650137e3d

SHA512
592b4cafe1d1060f8f05f54832e9c0f4baeb29c91dc9912f2f6f63819d96b766ae888c1483c5fc6b6c14093f8fd85ff03b4b76cc2910472740339a0305a5a20b

Download Submit
C:\Program Files (x86)\Company\NewProduct\inst1.exe

MD5
c06d807e7287add5d460530e3d87648c

SHA1
d288550f1e35ba9406886906920f1afe7c965f71

SHA256
d5855e6292d04c6ab247c1b550168cde3d4a73831ed792cf15c1d0c650137e3d

SHA512
592b4cafe1d1060f8f05f54832e9c0f4baeb29c91dc9912f2f6f63819d96b766ae888c1483c5fc6b6c14093f8fd85ff03b4b76cc2910472740339a0305a5a20b

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe

MD5
68737ab1a037878a37f0b3e114edaaf8

SHA1
0ba735d99c77cb69937f8fcf89c6a9e3bc495512

SHA256
7bf16a22ac10e1dc50dc302c7d1c196dff361ee5c8e830ddb0cec90b548b483a

SHA512
f30fa001c604fe4aee324fc4af5b784feae262a62983bd2364721f83ad2522b714c0286b97569b927da5741339d8a0633cbd6abcae3e45f943d5f4ae9168b271

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe

MD5
68737ab1a037878a37f0b3e114edaaf8

SHA1
0ba735d99c77cb69937f8fcf89c6a9e3bc495512

SHA256
7bf16a22ac10e1dc50dc302c7d1c196dff361ee5c8e830ddb0cec90b548b483a

SHA512
f30fa001c604fe4aee324fc4af5b784feae262a62983bd2364721f83ad2522b714c0286b97569b927da5741339d8a0633cbd6abcae3e45f943d5f4ae9168b271

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5
232e517db7356fc6c1b3a1e81cfb14f0

SHA1
bc96caa40bec1a95c2ccb1ce412898d26c2b6510

SHA256
ea67e14a00646a43febfe5e838dc16e5f15e2b0d04e6ebfbe2f63c367d2c431d

SHA512
37b60c3038f297d738ca5d5b0ad7728d8dc487a7e82306be479619e7979553f9b6933aaaa808f6f7e241135984a36169b770b88c5f9b48e1086ed84466f7b698

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5
666a98251df27c39ead9009a736cfeca

SHA1
abbb1d6b9a0682f05b1b2c07a30635f92a63dc0f

SHA256
3d1085903090ef73213a68e54669601a1d1e7dbf8d5b7c635cac5640128f6f6d

SHA512
34d3c66491eab99232172da2791d234406eb4fd8a63c2e02324de32693d2bfc9541e9864a45fa2803d3cf21106f227c3e29e142b752e2f112add53d22359952c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BJD87.tmp\wAxV2xGR2jmHwwcdHzSTc4s0.tmp

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T3GLA.tmp\itdownload.dll

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T3GLA.tmp\itdownload.dll

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
C:\Users\Admin\AppData\Roaming\4499510.exe

MD5
a3214c939ad2515b0cd3aad5c402ce13

SHA1
d4efa31dd92e062da68c7caa2b9824a4f20e7d14

SHA256
3e61b2ab69460d4af4c3ef0e7595fe495bdca69f977a73c6d62155ce40effeac

SHA512
2aeaab7173214335f827ff29115b2946ea73f246e9deb96122e613b64aa7ef4963ed788da41041c32595912a31904a6b9dd0902f41b83e0233217a8f4159bc9e

Download Submit
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe

MD5
ddfa7f5c4e009e6a1052568b292b7d1c

SHA1
22d85895a300a3ac777049c28c521fc38956e89a

SHA256
4d463ef06d78819067503412ef6f554eb2a5e968e332530ede9d093e5a21866b

SHA512
8dd3e113aeac58f03b4f1819dde9b7e318ba04986202387f65b8dc0c212c0207c68c0bf38adc1724618bf99a14bf43a1d26862f26416caafdfafc0128078d256

Download Submit
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe

MD5
ddfa7f5c4e009e6a1052568b292b7d1c

SHA1
22d85895a300a3ac777049c28c521fc38956e89a

SHA256
4d463ef06d78819067503412ef6f554eb2a5e968e332530ede9d093e5a21866b

SHA512
8dd3e113aeac58f03b4f1819dde9b7e318ba04986202387f65b8dc0c212c0207c68c0bf38adc1724618bf99a14bf43a1d26862f26416caafdfafc0128078d256

Download Submit
C:\Users\Admin\Documents\6QRqKELhpPYzrDZ846GoNiKK.exe

MD5
ddfa7f5c4e009e6a1052568b292b7d1c

SHA1
22d85895a300a3ac777049c28c521fc38956e89a

SHA256
4d463ef06d78819067503412ef6f554eb2a5e968e332530ede9d093e5a21866b

SHA512
8dd3e113aeac58f03b4f1819dde9b7e318ba04986202387f65b8dc0c212c0207c68c0bf38adc1724618bf99a14bf43a1d26862f26416caafdfafc0128078d256

Download Submit
C:\Users\Admin\Documents\7NxLi8tgEzKv0b84vQsXm7H3.exe

MD5
55a89d7ce29b56b444bfcfc37bde858b

SHA1
af5214f851e6bfff5a6668effa6c3e701a2fe5cc

SHA256
8bfaac9fc15695c837ad2c68e4767ec465134a11b5e79a4d3e63ad66c5ede690

SHA512
0234f0f1226f1b31a6d0651d7f0972db4c4831191c1df5fca7c5a6f37474de08df53bcaddfc7dea718719fee03b7d6ba7c8abe3178d5ec5c2c4046b657d9d5e3

Download Submit
C:\Users\Admin\Documents\7NxLi8tgEzKv0b84vQsXm7H3.exe

MD5
55a89d7ce29b56b444bfcfc37bde858b

SHA1
af5214f851e6bfff5a6668effa6c3e701a2fe5cc

SHA256
8bfaac9fc15695c837ad2c68e4767ec465134a11b5e79a4d3e63ad66c5ede690

SHA512
0234f0f1226f1b31a6d0651d7f0972db4c4831191c1df5fca7c5a6f37474de08df53bcaddfc7dea718719fee03b7d6ba7c8abe3178d5ec5c2c4046b657d9d5e3

Download Submit
C:\Users\Admin\Documents\BayqOTB6ywe6b73BM4RPBL5Y.exe

MD5
d150c070e3e6d3b966fcbaaa912dcd1b

SHA1
d642453ea9e6c59fbc53f874a36ff508238bbc7f

SHA256
3ca3ef048fd26e03a002f3fc9d80ecf27621dd27643857cfdac7c60c26d36a27

SHA512
67160efe9a0d79ac09dc7e36364edbda03401b0532c6e9b0db84866c63ca8ff30ea074554c60c167effec434aeb1596aebf2ff1b90181a54820f186731a42ee0

Download Submit
C:\Users\Admin\Documents\BayqOTB6ywe6b73BM4RPBL5Y.exe

MD5
d150c070e3e6d3b966fcbaaa912dcd1b

SHA1
d642453ea9e6c59fbc53f874a36ff508238bbc7f

SHA256
3ca3ef048fd26e03a002f3fc9d80ecf27621dd27643857cfdac7c60c26d36a27

SHA512
67160efe9a0d79ac09dc7e36364edbda03401b0532c6e9b0db84866c63ca8ff30ea074554c60c167effec434aeb1596aebf2ff1b90181a54820f186731a42ee0

Download Submit
C:\Users\Admin\Documents\FQ_l6Tp2UYASTgLE2eX2iH7S.exe

MD5
07e143efd03815a3b8c8b90e7e5776f0

SHA1
077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

SHA256
32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

SHA512
79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

Download Submit
C:\Users\Admin\Documents\FQ_l6Tp2UYASTgLE2eX2iH7S.exe

MD5
07e143efd03815a3b8c8b90e7e5776f0

SHA1
077314efef70cef8f43eeba7f1b8ba0e5e5dedc9

SHA256
32967e652530e7ac72841886cb07badcced11e1e725e2e85e1ee8046c4fe2149

SHA512
79ed77bbcac3f84d846b4b02e1a50a197d857d4b1d6abd84a45393bb3c262768ab6f3952733a1ae6010978ab598842d9b7ac4be5a5b23c374a3d4796c87a38d6

Download Submit
C:\Users\Admin\Documents\Gky928l7EtoX3oEqejBa7mxO.exe

MD5
3d02508473fd13b069fce5dd54a2ff75

SHA1
a6ccb270b3356d58c6358905ab3a01dd1b9c9566

SHA256
0ea9a18d16f9be86d0f0b8b1da9250584cd4cf0aa83ba0ef57771010d3f80f27

SHA512
63f9a8ed6ba4af5e3833e3b0c9ffacbaf69ba291fd5f5df953921284e322a0a80f27cb524835fb2643d2b20b11873e540657772e696ce7b7c9d19928f8ac76bf

Download Submit
C:\Users\Admin\Documents\Gky928l7EtoX3oEqejBa7mxO.exe

MD5
3d02508473fd13b069fce5dd54a2ff75

SHA1
a6ccb270b3356d58c6358905ab3a01dd1b9c9566

SHA256
0ea9a18d16f9be86d0f0b8b1da9250584cd4cf0aa83ba0ef57771010d3f80f27

SHA512
63f9a8ed6ba4af5e3833e3b0c9ffacbaf69ba291fd5f5df953921284e322a0a80f27cb524835fb2643d2b20b11873e540657772e696ce7b7c9d19928f8ac76bf

Download Submit
C:\Users\Admin\Documents\Jilih0KhxJuA19M9pWYJCMYV.exe

MD5
8e2c6bd0f789c514be09799fa453f9bb

SHA1
5a20567e554a56bcc1c8820502764a7a97daaf28

SHA256
67459286369a30ff17fb2df1f92a552979dc8ca3b8720e6c15c380a0d004dbbc

SHA512
aac8b38a3a4e8eb478c7af1bd2ac4eb9865443399bd9a4260ef9a85602a5d1ef5d40d0c18118ca45a47302185fa226435db2721acfe4bc0de773e9dd550dc1d0

Download Submit
C:\Users\Admin\Documents\Jilih0KhxJuA19M9pWYJCMYV.exe

MD5
8e2c6bd0f789c514be09799fa453f9bb

SHA1
5a20567e554a56bcc1c8820502764a7a97daaf28

SHA256
67459286369a30ff17fb2df1f92a552979dc8ca3b8720e6c15c380a0d004dbbc

SHA512
aac8b38a3a4e8eb478c7af1bd2ac4eb9865443399bd9a4260ef9a85602a5d1ef5d40d0c18118ca45a47302185fa226435db2721acfe4bc0de773e9dd550dc1d0

Download Submit
C:\Users\Admin\Documents\MU9BB84AEpJadrg6XVwAfGSD.exe

MD5
af060eec817d7b05b24b5c40e0096d7f

SHA1
1dcab28b66c07eadd170f68d549899de8cbaadc7

SHA256
110db064661be0a65fadf0c1ffcfba644b218894f8df85c57e36ff65d86632f2

SHA512
76048b80c31b7e31d20eaff38717672e3d98fc1b7c98116948558c870a1198941a0dbea2c09811fa2867173a760d7a2ba36f74a6076293550cf8a3d6116e6975

Download Submit
C:\Users\Admin\Documents\MU9BB84AEpJadrg6XVwAfGSD.exe

MD5
af060eec817d7b05b24b5c40e0096d7f

SHA1
1dcab28b66c07eadd170f68d549899de8cbaadc7

SHA256
110db064661be0a65fadf0c1ffcfba644b218894f8df85c57e36ff65d86632f2

SHA512
76048b80c31b7e31d20eaff38717672e3d98fc1b7c98116948558c870a1198941a0dbea2c09811fa2867173a760d7a2ba36f74a6076293550cf8a3d6116e6975

Download Submit
C:\Users\Admin\Documents\UT1N41DU5oKDEHbmOiU_xsB0.exe

MD5
308da60a9996a07824a1a1ce3a994d05

SHA1
24828b0bbbe4b975e2d73cfbcd6633113145b2f9

SHA256
1a1bf81f4a5d156c4c4ad16bd5f8ea3b2ea8c759b3e1fcbb47945f5c9039ff94

SHA512
84a3da30d8ae3891e1b9f0c24de612922512f39c94a743fea2a287a2299df6ceaaedb42b70ec18b1481e2b3c97a9021c83c7722d2521b47c19005ce4523b3afe

Download Submit
C:\Users\Admin\Documents\UT1N41DU5oKDEHbmOiU_xsB0.exe

MD5
308da60a9996a07824a1a1ce3a994d05

SHA1
24828b0bbbe4b975e2d73cfbcd6633113145b2f9

SHA256
1a1bf81f4a5d156c4c4ad16bd5f8ea3b2ea8c759b3e1fcbb47945f5c9039ff94

SHA512
84a3da30d8ae3891e1b9f0c24de612922512f39c94a743fea2a287a2299df6ceaaedb42b70ec18b1481e2b3c97a9021c83c7722d2521b47c19005ce4523b3afe

Download Submit
C:\Users\Admin\Documents\VxcrRjNIAk97NI6_Vck1Prp5.exe

MD5
ace480a7645ee4f05d2408a4680e8322

SHA1
4f08d5900e5ed0684cefa323ed2db7a64991122e

SHA256
ebd58b53668c25b60e1c450efdd6f636aa2076aff33bd409fca80fd9daea6233

SHA512
ca53e6c0b94f468aa7cfcf75b687564660c1a407aa6a5156d7fe8768a643a65faab5588266b52b300d930ecea4a8cb4a940a1b3f5a320ba9e6b203c9a2a3690a

Download Submit
C:\Users\Admin\Documents\VxcrRjNIAk97NI6_Vck1Prp5.exe

MD5
ace480a7645ee4f05d2408a4680e8322

SHA1
4f08d5900e5ed0684cefa323ed2db7a64991122e

SHA256
ebd58b53668c25b60e1c450efdd6f636aa2076aff33bd409fca80fd9daea6233

SHA512
ca53e6c0b94f468aa7cfcf75b687564660c1a407aa6a5156d7fe8768a643a65faab5588266b52b300d930ecea4a8cb4a940a1b3f5a320ba9e6b203c9a2a3690a

Download Submit
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe

MD5
e20eadf0f3063e0a73ca8569cd7c3c1b

SHA1
995b8fecebb1ff10f9f6571c73d1ea49d5722477

SHA256
81f327dfcb337af8d576630d797059c5501a84cecb3612b69a2085cb2a74b494

SHA512
d226b5f133ecff0eb41a21c6a8feeeae5da1931f4326f5fb893f11eb3faff1fc460d188149f968fcf4437abf3b0fe8c49b01d463f8e8d0e54e9ae149027786ef

Download Submit
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe

MD5
e20eadf0f3063e0a73ca8569cd7c3c1b

SHA1
995b8fecebb1ff10f9f6571c73d1ea49d5722477

SHA256
81f327dfcb337af8d576630d797059c5501a84cecb3612b69a2085cb2a74b494

SHA512
d226b5f133ecff0eb41a21c6a8feeeae5da1931f4326f5fb893f11eb3faff1fc460d188149f968fcf4437abf3b0fe8c49b01d463f8e8d0e54e9ae149027786ef

Download Submit
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe

MD5
e20eadf0f3063e0a73ca8569cd7c3c1b

SHA1
995b8fecebb1ff10f9f6571c73d1ea49d5722477

SHA256
81f327dfcb337af8d576630d797059c5501a84cecb3612b69a2085cb2a74b494

SHA512
d226b5f133ecff0eb41a21c6a8feeeae5da1931f4326f5fb893f11eb3faff1fc460d188149f968fcf4437abf3b0fe8c49b01d463f8e8d0e54e9ae149027786ef

Download Submit
C:\Users\Admin\Documents\WGfzVN85f0IsKR_XWeRTWh1n.exe

MD5
e20eadf0f3063e0a73ca8569cd7c3c1b

SHA1
995b8fecebb1ff10f9f6571c73d1ea49d5722477

SHA256
81f327dfcb337af8d576630d797059c5501a84cecb3612b69a2085cb2a74b494

SHA512
d226b5f133ecff0eb41a21c6a8feeeae5da1931f4326f5fb893f11eb3faff1fc460d188149f968fcf4437abf3b0fe8c49b01d463f8e8d0e54e9ae149027786ef

Download Submit
C:\Users\Admin\Documents\WtfVs8FzWdTpKzexQbdzL4Pr.exe

MD5
b5ea06201dbc55b34d086ebbec5043ae

SHA1
34009829c57800e2b11d3170830c86ad669b48dd

SHA256
c885c5405043ca5b807ab417680513333b5e5dedc9d59b70b19f6b6c60eef2dd

SHA512
200024c1e81b58cb3a03a87f4a61476346f054ad55be24bed8970a7c3d213372c7e74cf7d08030afb763d493d5d478f5550e0c9f5eb498223f00217aa1109367

Download Submit
C:\Users\Admin\Documents\WtfVs8FzWdTpKzexQbdzL4Pr.exe

MD5
b5ea06201dbc55b34d086ebbec5043ae

SHA1
34009829c57800e2b11d3170830c86ad669b48dd

SHA256
c885c5405043ca5b807ab417680513333b5e5dedc9d59b70b19f6b6c60eef2dd

SHA512
200024c1e81b58cb3a03a87f4a61476346f054ad55be24bed8970a7c3d213372c7e74cf7d08030afb763d493d5d478f5550e0c9f5eb498223f00217aa1109367

Download Submit
C:\Users\Admin\Documents\afTmfJHHm1an_D7frDg_SHE5.exe

MD5
669eb75220e71145a3260044f3075301

SHA1
82560cc408ab27c324216b092f19c134470aae98

SHA256
ab5d4827ce3c3cb1da79670b8bbd6afc9896dd77d9c933cefcb885079359bebb

SHA512
46164e8d9479e76b0773e158b918e0e5556ea992b2baf55137da73d1f272553aef0afd02bfb8c604469244c02416a62911d645480f211a324d1ab73748492c1e

Download Submit
C:\Users\Admin\Documents\afTmfJHHm1an_D7frDg_SHE5.exe

MD5
669eb75220e71145a3260044f3075301

SHA1
82560cc408ab27c324216b092f19c134470aae98

SHA256
ab5d4827ce3c3cb1da79670b8bbd6afc9896dd77d9c933cefcb885079359bebb

SHA512
46164e8d9479e76b0773e158b918e0e5556ea992b2baf55137da73d1f272553aef0afd02bfb8c604469244c02416a62911d645480f211a324d1ab73748492c1e

Download Submit
C:\Users\Admin\Documents\cqdK9mPCWVHPtjoHS91deMYV.exe

MD5
1acf0772dce8adfd83a4ea2ee922bb30

SHA1
b451e22a3cacd1261636a33f144ad3ec11c523c9

SHA256
cadc2b37d3ad955ed1c900d5951a63a08f065401c91f19209f3ce8ac54bb326b

SHA512
d2c3cc013cacd66ca0dd8e72c8b66b0f41ba2e0f92a62381b8ec28e89ca791334bd0f2b6eccde1532c2c3c7ddc367f3f7831fa9e95c3252d991283576558cddc

Download Submit
C:\Users\Admin\Documents\cqdK9mPCWVHPtjoHS91deMYV.exe

MD5
1acf0772dce8adfd83a4ea2ee922bb30

SHA1
b451e22a3cacd1261636a33f144ad3ec11c523c9

SHA256
cadc2b37d3ad955ed1c900d5951a63a08f065401c91f19209f3ce8ac54bb326b

SHA512
d2c3cc013cacd66ca0dd8e72c8b66b0f41ba2e0f92a62381b8ec28e89ca791334bd0f2b6eccde1532c2c3c7ddc367f3f7831fa9e95c3252d991283576558cddc

Download Submit
C:\Users\Admin\Documents\cqdK9mPCWVHPtjoHS91deMYV.exe

MD5
1acf0772dce8adfd83a4ea2ee922bb30

SHA1
b451e22a3cacd1261636a33f144ad3ec11c523c9

SHA256
cadc2b37d3ad955ed1c900d5951a63a08f065401c91f19209f3ce8ac54bb326b

SHA512
d2c3cc013cacd66ca0dd8e72c8b66b0f41ba2e0f92a62381b8ec28e89ca791334bd0f2b6eccde1532c2c3c7ddc367f3f7831fa9e95c3252d991283576558cddc

Download Submit
C:\Users\Admin\Documents\dkHdEuySOe03h7AqjzaT0Vy9.exe

MD5
067a8002b76c49e820a9421fa3029c86

SHA1
fbf589bf5e44768d9ed07f6b361472e3b54bcb58

SHA256
9fdf1b38392cacb2490a8093fc910e2af3817e92ab459304d721919a63cbfe64

SHA512
4986054c30b069cc145dde03244589eb06513211723ca11cd97204c748b43c07b6f16bab7b9203c3d53a20176879eb467debf90bde43a5a66d23587243fed03a

Download Submit
C:\Users\Admin\Documents\dkHdEuySOe03h7AqjzaT0Vy9.exe

MD5
067a8002b76c49e820a9421fa3029c86

SHA1
fbf589bf5e44768d9ed07f6b361472e3b54bcb58

SHA256
9fdf1b38392cacb2490a8093fc910e2af3817e92ab459304d721919a63cbfe64

SHA512
4986054c30b069cc145dde03244589eb06513211723ca11cd97204c748b43c07b6f16bab7b9203c3d53a20176879eb467debf90bde43a5a66d23587243fed03a

Download Submit
C:\Users\Admin\Documents\gzmoY803sa6AbaNcFGlQwfPi.exe

MD5
5a4c34199b7d24536a4c6f50750ba670

SHA1
d59cf458dae076d651af23d722266124ea8e87fb

SHA256
7c9ba201865da7d4fd662f471422f1ce7d86c91805b882c395e77100d9c4bc8e

SHA512
0a1e424436849b84b6f3c22c3c16e95c81049eb5381814f28cf3e4c9cbf4fd414a1b5962b1106888686ba2b19b88ddf589ee3bd69bc15f10250f3b54bb209b1c

Download Submit
C:\Users\Admin\Documents\gzmoY803sa6AbaNcFGlQwfPi.exe

MD5
5a4c34199b7d24536a4c6f50750ba670

SHA1
d59cf458dae076d651af23d722266124ea8e87fb

SHA256
7c9ba201865da7d4fd662f471422f1ce7d86c91805b882c395e77100d9c4bc8e

SHA512
0a1e424436849b84b6f3c22c3c16e95c81049eb5381814f28cf3e4c9cbf4fd414a1b5962b1106888686ba2b19b88ddf589ee3bd69bc15f10250f3b54bb209b1c

Download Submit
C:\Users\Admin\Documents\k3H1zcypdzdTk2_HIheW4Z_6.exe

MD5
33abc47044053a5b97f95d81712ffd57

SHA1
dcc962b16bacd4984cf0d2337d30da34d52b1f05

SHA256
6f27e9f486516c22c2f04dbbea0ac3bdb8f7f14a2cffa9dd2f3b7f92323b4339

SHA512
964e02b24218f1f72027a723f81dd93c725f650cdb7ada737ac27486a8f50e4c1e937127add2479ad6861ba4e75341b3686bfb8959d4be2bfcc28bd59f854947

Download Submit
C:\Users\Admin\Documents\k3H1zcypdzdTk2_HIheW4Z_6.exe

MD5
33abc47044053a5b97f95d81712ffd57

SHA1
dcc962b16bacd4984cf0d2337d30da34d52b1f05

SHA256
6f27e9f486516c22c2f04dbbea0ac3bdb8f7f14a2cffa9dd2f3b7f92323b4339

SHA512
964e02b24218f1f72027a723f81dd93c725f650cdb7ada737ac27486a8f50e4c1e937127add2479ad6861ba4e75341b3686bfb8959d4be2bfcc28bd59f854947

Download Submit
C:\Users\Admin\Documents\lOtBRW8MYEPvU0x8FwVebuUJ.exe

MD5
6c77dec5a89f8c6bd57e53cfc2a8c828

SHA1
7149f293508405d298a49e044e577126cc2e7d2e

SHA256
cad8d602e9131638c2b0b344654e3787026da745fa751f58b5e6392d18d8d06a

SHA512
722f64ff0e1162fca68d209fcb40772769a20ec570d2d9b25e2170c4947d601495636929b5fd34ec97e8ea1a551661157072e8dea9d49767bde2d2a2600225bf

Download Submit
C:\Users\Admin\Documents\lOtBRW8MYEPvU0x8FwVebuUJ.exe

MD5
6c77dec5a89f8c6bd57e53cfc2a8c828

SHA1
7149f293508405d298a49e044e577126cc2e7d2e

SHA256
cad8d602e9131638c2b0b344654e3787026da745fa751f58b5e6392d18d8d06a

SHA512
722f64ff0e1162fca68d209fcb40772769a20ec570d2d9b25e2170c4947d601495636929b5fd34ec97e8ea1a551661157072e8dea9d49767bde2d2a2600225bf

Download Submit
C:\Users\Admin\Documents\luaS8H_XAvsVqPzQJEMuKMqZ.exe

MD5
7411bd9a32735dfdeee38ee1f6629a7f

SHA1
5ebcd716a0a2c34bb57f3323fcc8ff081a9a78d0

SHA256
18af72f75d6dbdffa8f8319d5d76f9b1a8cb51e99e1b937948bdcc7af6665511

SHA512
806a75265ffb302311eab389ea563382f51ef525b8095a9fd10fdfb2da4f295f414b59e2bb14c25130bead481364f75fe966f38bc4f05818a9c82806725749eb

Download Submit
C:\Users\Admin\Documents\luaS8H_XAvsVqPzQJEMuKMqZ.exe

MD5
7411bd9a32735dfdeee38ee1f6629a7f

SHA1
5ebcd716a0a2c34bb57f3323fcc8ff081a9a78d0

SHA256
18af72f75d6dbdffa8f8319d5d76f9b1a8cb51e99e1b937948bdcc7af6665511

SHA512
806a75265ffb302311eab389ea563382f51ef525b8095a9fd10fdfb2da4f295f414b59e2bb14c25130bead481364f75fe966f38bc4f05818a9c82806725749eb

Download Submit
C:\Users\Admin\Documents\luaS8H_XAvsVqPzQJEMuKMqZ.exe

MD5
7411bd9a32735dfdeee38ee1f6629a7f

SHA1
5ebcd716a0a2c34bb57f3323fcc8ff081a9a78d0

SHA256
18af72f75d6dbdffa8f8319d5d76f9b1a8cb51e99e1b937948bdcc7af6665511

SHA512
806a75265ffb302311eab389ea563382f51ef525b8095a9fd10fdfb2da4f295f414b59e2bb14c25130bead481364f75fe966f38bc4f05818a9c82806725749eb

Download Submit
C:\Users\Admin\Documents\n3izj8NedK8WGX_Eah9ESj3X.exe

MD5
abeea23c95c98bc3cbc6d9d4508a0a2f

SHA1
b9b202c2e2da2073b4e332a7401159118581d10c

SHA256
df7734cbb1baf26783f02249ac1b725286ae3709233cb3e78955cb6873597e6d

SHA512
6fb725f1e067382a2ff6e153f9a3f02fb9d277248cf1b06c0541feef3919d8813f18f54b25899d9d7f6e0651fcfeec7d98fee9300c404c8e04c0606712261d9f

Download Submit
C:\Users\Admin\Documents\n3izj8NedK8WGX_Eah9ESj3X.exe

MD5
abeea23c95c98bc3cbc6d9d4508a0a2f

SHA1
b9b202c2e2da2073b4e332a7401159118581d10c

SHA256
df7734cbb1baf26783f02249ac1b725286ae3709233cb3e78955cb6873597e6d

SHA512
6fb725f1e067382a2ff6e153f9a3f02fb9d277248cf1b06c0541feef3919d8813f18f54b25899d9d7f6e0651fcfeec7d98fee9300c404c8e04c0606712261d9f

Download Submit
C:\Users\Admin\Documents\qnRYwqmXI74VT8xw9sDQzviT.exe

MD5
1198c7cec819a24342e0e7f3cc8451e3

SHA1
8b6f61780b083a520435f88cf59af1871180d21a

SHA256
ec0d5179e327663fe182b4df4df4a620a7d09fd5585ec8ee2ce36a8d33fc8ec3

SHA512
d27918a6c7a296e085b3a06677b30c9d7175401e7b9f7e4ec1b05c3fc34b72543e678452ca286c2a710db980020e3f7a0b8c34ea58129eb1004140c36b8cfd81

Download Submit
C:\Users\Admin\Documents\qnRYwqmXI74VT8xw9sDQzviT.exe

MD5
1198c7cec819a24342e0e7f3cc8451e3

SHA1
8b6f61780b083a520435f88cf59af1871180d21a

SHA256
ec0d5179e327663fe182b4df4df4a620a7d09fd5585ec8ee2ce36a8d33fc8ec3

SHA512
d27918a6c7a296e085b3a06677b30c9d7175401e7b9f7e4ec1b05c3fc34b72543e678452ca286c2a710db980020e3f7a0b8c34ea58129eb1004140c36b8cfd81

Download Submit
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe

MD5
fabac8484745201ea428ea1d10fe2755

SHA1
b7365fcaa7416427ce5cc69f2bde3874d88cdc92

SHA256
f97b089440dd628e37d008e3074ee71ae700970bf7b98157849117d7a7c59b5c

SHA512
059e73bb48bb1ac45285b2af7b6bb0cd0eef018eeb3ae3562a2b5021b1d1d759e36550da7eb27be482e42c623176fe0821c88dcba9dd97cd2de83af65e2ec38a

Download Submit
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe

MD5
fabac8484745201ea428ea1d10fe2755

SHA1
b7365fcaa7416427ce5cc69f2bde3874d88cdc92

SHA256
f97b089440dd628e37d008e3074ee71ae700970bf7b98157849117d7a7c59b5c

SHA512
059e73bb48bb1ac45285b2af7b6bb0cd0eef018eeb3ae3562a2b5021b1d1d759e36550da7eb27be482e42c623176fe0821c88dcba9dd97cd2de83af65e2ec38a

Download Submit
C:\Users\Admin\Documents\tunJqr2kv3i7JYxkXqi1mgOP.exe

MD5
fabac8484745201ea428ea1d10fe2755

SHA1
b7365fcaa7416427ce5cc69f2bde3874d88cdc92

SHA256
f97b089440dd628e37d008e3074ee71ae700970bf7b98157849117d7a7c59b5c

SHA512
059e73bb48bb1ac45285b2af7b6bb0cd0eef018eeb3ae3562a2b5021b1d1d759e36550da7eb27be482e42c623176fe0821c88dcba9dd97cd2de83af65e2ec38a

Download Submit
C:\Users\Admin\Documents\wAxV2xGR2jmHwwcdHzSTc4s0.exe

MD5
4c91ebf5b18e08cf75fe9d7b567d4093

SHA1
f76f07af066f31f39e7723ee0a841a752767c23c

SHA256
26658599bfea61f5a5db01ce91144702653e9ecf92eda1f54479ce1f48876721

SHA512
cd95b1fed25558e1eaae71aeec797130a2f840403959dd2ca07378bbe3b2773a9e5c22f5be58c0959b29e8c9df9ff78e87abc587bd93d07dfb5f435217ec87f3

Download Submit
C:\Users\Admin\Documents\wAxV2xGR2jmHwwcdHzSTc4s0.exe

MD5
4c91ebf5b18e08cf75fe9d7b567d4093

SHA1
f76f07af066f31f39e7723ee0a841a752767c23c

SHA256
26658599bfea61f5a5db01ce91144702653e9ecf92eda1f54479ce1f48876721

SHA512
cd95b1fed25558e1eaae71aeec797130a2f840403959dd2ca07378bbe3b2773a9e5c22f5be58c0959b29e8c9df9ff78e87abc587bd93d07dfb5f435217ec87f3

Download Submit
C:\Users\Admin\Documents\yEJwoui80rttZBX7MS_TSSij.exe

MD5
8ba1af598fde5a9bcbddf4b1f74aa12e

SHA1
6d35b46fe3be66ced67a1d4f11669d539b66c960

SHA256
a2644e711f5724d4f088b6b62d257c3ebaee9ab44c3d66088edcf3441f1eed8c

SHA512
457a28e5b9e1b67cadb5df6e8d57abaa9460dca025dbfffbc6e9176c6d8ffb9d00f9bc0f2bb5557dc4bcd5c7b7d18449d0d8463434422b13276dbbd69d824513

Download Submit
C:\Users\Admin\Documents\yEJwoui80rttZBX7MS_TSSij.exe

MD5
8ba1af598fde5a9bcbddf4b1f74aa12e

SHA1
6d35b46fe3be66ced67a1d4f11669d539b66c960

SHA256
a2644e711f5724d4f088b6b62d257c3ebaee9ab44c3d66088edcf3441f1eed8c

SHA512
457a28e5b9e1b67cadb5df6e8d57abaa9460dca025dbfffbc6e9176c6d8ffb9d00f9bc0f2bb5557dc4bcd5c7b7d18449d0d8463434422b13276dbbd69d824513

Download Submit
memory/592-180-0x0000000000000000-mapping.dmp

Download
memory/1208-442-0x000000001B740000-0x000000001B742000-memory.dmp

Filesize
8KB

Download
memory/1208-387-0x0000000000000000-mapping.dmp

Download
memory/1232-395-0x0000000000000000-mapping.dmp

Download
memory/1444-425-0x0000000000000000-mapping.dmp

Download
memory/1444-486-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/1520-350-0x0000000000000000-mapping.dmp

Download
memory/1556-186-0x0000000000000000-mapping.dmp

Download
memory/1556-285-0x0000000004BC0000-0x0000000004C36000-memory.dmp

Filesize
472KB

Download
memory/1556-261-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1560-424-0x0000000000000000-mapping.dmp

Download
memory/1588-371-0x0000000004D40000-0x0000000005358000-memory.dmp

Filesize
6.1MB

Download
memory/1588-324-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1588-321-0x0000000000000000-mapping.dmp

Download
memory/1640-188-0x0000000000000000-mapping.dmp

Download
memory/1676-187-0x0000000000000000-mapping.dmp

Download
memory/1748-189-0x0000000000000000-mapping.dmp

Download
memory/1896-450-0x0000000000000000-mapping.dmp

Download
memory/1896-511-0x0000000005640000-0x0000000005C58000-memory.dmp

Filesize
6.1MB

Download
memory/1980-430-0x0000000000000000-mapping.dmp

Download
memory/1980-481-0x0000000004FE0000-0x00000000055F8000-memory.dmp

Filesize
6.1MB

Download
memory/2004-270-0x0000000001560000-0x0000000001562000-memory.dmp

Filesize
8KB

Download
memory/2004-241-0x0000000001530000-0x0000000001546000-memory.dmp

Filesize
88KB

Download
memory/2004-190-0x0000000000000000-mapping.dmp

Download
memory/2004-211-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2072-510-0x0000000000000000-mapping.dmp

Download
memory/2072-594-0x0000000004EB0000-0x00000000054C8000-memory.dmp

Filesize
6.1MB

Download
memory/2116-299-0x0000000000000000-mapping.dmp

Download
memory/2176-334-0x0000000000000000-mapping.dmp

Download
memory/2176-381-0x00000000050D0000-0x00000000056E8000-memory.dmp

Filesize
6.1MB

Download
memory/2244-274-0x00000000006A0000-0x00000000006A3000-memory.dmp

Filesize
12KB

Download
memory/2244-256-0x0000000000000000-mapping.dmp

Download
memory/2344-250-0x0000000003980000-0x00000000039AF000-memory.dmp

Filesize
188KB

Download
memory/2344-148-0x0000000000000000-mapping.dmp

Download
memory/2464-505-0x0000000004F80000-0x0000000005598000-memory.dmp

Filesize
6.1MB

Download
memory/2464-459-0x0000000000000000-mapping.dmp

Download
memory/2696-244-0x0000000000000000-mapping.dmp

Download
memory/2896-325-0x0000027EBC1A0000-0x0000027EBC301000-memory.dmp

Filesize
1.4MB

Download
memory/2896-322-0x0000027EBBF50000-0x0000027EBC034000-memory.dmp

Filesize
912KB

Download
memory/2896-245-0x0000000000000000-mapping.dmp

Download
memory/2988-446-0x0000000005360000-0x0000000005978000-memory.dmp

Filesize
6.1MB

Download
memory/2988-397-0x0000000000000000-mapping.dmp

Download
memory/3092-156-0x0000000000000000-mapping.dmp

Download
memory/3092-196-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/3092-215-0x000000001B410000-0x000000001B412000-memory.dmp

Filesize
8KB

Download
memory/3092-403-0x0000000000000000-mapping.dmp

Download
memory/3092-234-0x0000000000C80000-0x0000000000C99000-memory.dmp

Filesize
100KB

Download
memory/3132-254-0x0000000000000000-mapping.dmp

Download
memory/3132-288-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3148-178-0x0000000000000000-mapping.dmp

Download
memory/3188-255-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/3188-155-0x0000000000000000-mapping.dmp

Download
memory/3188-231-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/3188-235-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/3188-243-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/3188-225-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/3188-195-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/3188-277-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/3208-449-0x0000000003D60000-0x0000000003D76000-memory.dmp

Filesize
88KB

Download
memory/3216-456-0x0000000000000000-mapping.dmp

Download
memory/3232-366-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3232-351-0x0000000000000000-mapping.dmp

Download
memory/3272-177-0x0000000000000000-mapping.dmp

Download
memory/3272-289-0x0000000004AB0000-0x0000000005056000-memory.dmp

Filesize
5.6MB

Download
memory/3272-304-0x0000000006E20000-0x0000000006E36000-memory.dmp

Filesize
88KB

Download
memory/3272-210-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/3272-308-0x0000000006D40000-0x0000000006D41000-memory.dmp

Filesize
4KB

Download
memory/3340-153-0x0000000000000000-mapping.dmp

Download
memory/3340-265-0x0000000004B90000-0x0000000004C06000-memory.dmp

Filesize
472KB

Download
memory/3340-213-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3340-236-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/3608-453-0x0000000000000000-mapping.dmp

Download
memory/3616-571-0x00000000017A0000-0x00000000017A1000-memory.dmp

Filesize
4KB

Download
memory/3616-412-0x0000000000000000-mapping.dmp

Download
memory/3656-258-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/3656-257-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/3656-220-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3656-163-0x0000000000000000-mapping.dmp

Download
memory/3856-390-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/3856-307-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/3856-394-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/3856-328-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/3856-332-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/3856-319-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download
memory/3856-316-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

Filesize
4KB

Download
memory/3856-318-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/3856-315-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/3856-310-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/3856-313-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/3856-311-0x0000000005A70000-0x0000000005A71000-memory.dmp

Filesize
4KB

Download
memory/3856-361-0x0000000005B20000-0x0000000005B21000-memory.dmp

Filesize
4KB

Download
memory/3856-357-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/3856-353-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/3856-346-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/3856-281-0x0000000000000000-mapping.dmp

Download
memory/3856-398-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/3856-295-0x00000000031C0000-0x00000000031FC000-memory.dmp

Filesize
240KB

Download
memory/3856-376-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/3856-296-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/4004-166-0x0000000000000000-mapping.dmp

Download
memory/4004-282-0x0000000003AC0000-0x0000000003B15000-memory.dmp

Filesize
340KB

Download
memory/4012-167-0x0000000000000000-mapping.dmp

Download
memory/4012-204-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/4012-276-0x0000000005280000-0x0000000005826000-memory.dmp

Filesize
5.6MB

Download
memory/4036-164-0x0000000000000000-mapping.dmp

Download
memory/4036-312-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/4036-335-0x0000000005DD0000-0x0000000005DD1000-memory.dmp

Filesize
4KB

Download
memory/4108-421-0x00000000054D0000-0x0000000005AE8000-memory.dmp

Filesize
6.1MB

Download
memory/4108-362-0x0000000000000000-mapping.dmp

Download
memory/4188-224-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/4188-259-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/4188-279-0x0000000004980000-0x0000000004F98000-memory.dmp

Filesize
6.1MB

Download
memory/4188-159-0x0000000000000000-mapping.dmp

Download
memory/4188-280-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/4188-297-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/4188-251-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/4188-266-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/4188-246-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/4224-165-0x0000000000000000-mapping.dmp

Download
memory/4224-385-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/4256-487-0x0000000000000000-mapping.dmp

Download
memory/4256-540-0x00000000058D0000-0x0000000005EE8000-memory.dmp

Filesize
6.1MB

Download
memory/4288-300-0x0000000000000000-mapping.dmp

Download
memory/4536-416-0x0000000000000000-mapping.dmp

Download
memory/4536-452-0x0000000005330000-0x0000000005948000-memory.dmp

Filesize
6.1MB

Download
memory/4580-149-0x0000000000000000-mapping.dmp

Download
memory/4580-341-0x00000000006D0000-0x00000000006DA000-memory.dmp

Filesize
40KB

Download
memory/4684-298-0x0000000000E00000-0x0000000000E12000-memory.dmp

Filesize
72KB

Download
memory/4684-291-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

Filesize
64KB

Download
memory/4684-263-0x0000000000000000-mapping.dmp

Download
memory/4840-157-0x0000000000000000-mapping.dmp

Download
memory/4840-349-0x00000000007E0000-0x000000000080F000-memory.dmp

Filesize
188KB

Download
memory/4844-160-0x0000000000000000-mapping.dmp

Download
memory/4844-247-0x0000000003BD0000-0x0000000003CA3000-memory.dmp

Filesize
844KB

Download
memory/4852-146-0x0000000003910000-0x0000000003A4F000-memory.dmp

Filesize
1.2MB

Download
memory/4856-455-0x0000000000000000-mapping.dmp

Download
memory/5020-348-0x0000000000000000-mapping.dmp

Download
memory/5108-147-0x0000000000000000-mapping.dmp

Download
memory/5108-292-0x0000000004360000-0x0000000004C86000-memory.dmp

Filesize
9.1MB

Download
memory/5140-636-0x0000000000000000-mapping.dmp

Download
memory/5152-485-0x0000000000000000-mapping.dmp

Download
memory/5196-616-0x0000000000000000-mapping.dmp

Download
memory/5252-533-0x0000000000000000-mapping.dmp

Download
memory/5252-597-0x00000000056C0000-0x0000000005CD8000-memory.dmp

Filesize
6.1MB

Download
memory/5340-604-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/5340-496-0x0000000000000000-mapping.dmp

Download
memory/5424-503-0x0000000000000000-mapping.dmp

Download
memory/5492-552-0x0000000000000000-mapping.dmp

Download
memory/5584-532-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5584-514-0x0000000000000000-mapping.dmp

Download
memory/5696-600-0x0000000000000000-mapping.dmp

Download
memory/5876-529-0x0000000000000000-mapping.dmp

Download
memory/5956-538-0x0000000000000000-mapping.dmp

Download
memory/5956-585-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/5956-591-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/5956-578-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/6092-611-0x0000000000000000-mapping.dmp

Download