glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	T5K7goVVqqrcVagS9bkD14By.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	T5K7goVVqqrcVagS9bkD14By.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	T3AnHHlDI8evrL8ZvmvMCni2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	T3AnHHlDI8evrL8ZvmvMCni2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9uc3L9Nbj3YxONtj4lXG5Ygd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9uc3L9Nbj3YxONtj4lXG5Ygd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Setup (16).exe

Loads dropped DLL 7 IoCs

pid	Process
4912	wyUgayLTtPpf1XiVbNAgPsz3.tmp
4912	wyUgayLTtPpf1XiVbNAgPsz3.tmp
3116	mYh61VoYBDRuCbtABUCVKMFD.exe
3116	mYh61VoYBDRuCbtABUCVKMFD.exe
3116	mYh61VoYBDRuCbtABUCVKMFD.exe
3116	mYh61VoYBDRuCbtABUCVKMFD.exe
3116	mYh61VoYBDRuCbtABUCVKMFD.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral16/files/0x000100000001aba6-163.dat	themida
behavioral16/files/0x000100000001aba7-161.dat	themida
behavioral16/files/0x000100000001aba6-186.dat	themida
behavioral16/memory/908-235-0x0000000000960000-0x0000000000961000-memory.dmp	themida
behavioral16/memory/2268-244-0x0000000001270000-0x0000000001271000-memory.dmp	themida
behavioral16/memory/2328-240-0x0000000000360000-0x0000000000361000-memory.dmp	themida
behavioral16/files/0x000100000001aba7-184.dat	themida
behavioral16/files/0x000100000001aba3-176.dat	themida
behavioral16/files/0x000100000001aba3-147.dat	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	T5K7goVVqqrcVagS9bkD14By.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9uc3L9Nbj3YxONtj4lXG5Ygd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	T3AnHHlDI8evrL8ZvmvMCni2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 17 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7494	ipinfo.io
15440	ipinfo.io
132	api.db-ip.com
257	ipinfo.io
971	ipinfo.io
30	ipinfo.io
155	ipinfo.io
7853	ipinfo.io
4758	ipinfo.io
4766	ipinfo.io
29	ipinfo.io
291	ipinfo.io
970	ipinfo.io
130	api.db-ip.com
116	ip-api.com
122	ipinfo.io
123	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
908	T5K7goVVqqrcVagS9bkD14By.exe
2328	T3AnHHlDI8evrL8ZvmvMCni2.exe
2268	9uc3L9Nbj3YxONtj4lXG5Ygd.exe

Suspicious use of SetThreadContext 24 IoCs

description	pid	Process	procid_target
PID 4048 set thread context of 4728	4048	Sx9a5bbbnQN_3oDPc0fl8jt9.exe	105
PID 3828 set thread context of 4756	3828	NOBO1YuDRApbUkmKXmVPM9_U.exe	421
PID 2080 set thread context of 4268	2080	HwLYjYmgIcI3kf4orSR4pDSD.exe	114
PID 1808 set thread context of 5008	1808	Jf3nQl9M_Fd774xpoBNHVzFR.exe	413
PID 3828 set thread context of 5076	3828	NOBO1YuDRApbUkmKXmVPM9_U.exe	408
PID 1808 set thread context of 4724	1808	Jf3nQl9M_Fd774xpoBNHVzFR.exe	400
PID 2188 set thread context of 4784	2188	1COrfeQjxHKqwZwVS34QX2iZ.exe	632
PID 4048 set thread context of 3568	4048	Sx9a5bbbnQN_3oDPc0fl8jt9.exe	384
PID 3828 set thread context of 4852	3828	NOBO1YuDRApbUkmKXmVPM9_U.exe	383
PID 1808 set thread context of 2788	1808	Jf3nQl9M_Fd774xpoBNHVzFR.exe	378
PID 2188 set thread context of 428	2188	1COrfeQjxHKqwZwVS34QX2iZ.exe	371
PID 3828 set thread context of 4000	3828	NOBO1YuDRApbUkmKXmVPM9_U.exe	364
PID 1808 set thread context of 4428	1808	Jf3nQl9M_Fd774xpoBNHVzFR.exe	362
PID 4048 set thread context of 5156	4048	Sx9a5bbbnQN_3oDPc0fl8jt9.exe	128
PID 2188 set thread context of 5192	2188	1COrfeQjxHKqwZwVS34QX2iZ.exe	126
PID 3828 set thread context of 5376	3828	NOBO1YuDRApbUkmKXmVPM9_U.exe	356
PID 1808 set thread context of 5440	1808	Jf3nQl9M_Fd774xpoBNHVzFR.exe	129
PID 4048 set thread context of 5520	4048	Sx9a5bbbnQN_3oDPc0fl8jt9.exe	130
PID 1808 set thread context of 5936	1808	Jf3nQl9M_Fd774xpoBNHVzFR.exe	139
PID 4048 set thread context of 6028	4048	Sx9a5bbbnQN_3oDPc0fl8jt9.exe	137
PID 3828 set thread context of 5264	3828	NOBO1YuDRApbUkmKXmVPM9_U.exe	140
PID 1808 set thread context of 5316	1808	Jf3nQl9M_Fd774xpoBNHVzFR.exe	1552
PID 3828 set thread context of 5948	3828	NOBO1YuDRApbUkmKXmVPM9_U.exe	149
PID 1808 set thread context of 5700	1808	Jf3nQl9M_Fd774xpoBNHVzFR.exe	343

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	JeuegkOl9zBxFw6VJ6g9AAco.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe	Setup.exe
File created	C:\Program Files (x86)\SmartPDF\SmartPDF\Uninstall.ini	Setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	ZR2BtvCAI1oYcLl8ZPYrxeH3.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	JeuegkOl9zBxFw6VJ6g9AAco.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\Uninstall.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst001.exe	ZR2BtvCAI1oYcLl8ZPYrxeH3.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	ZR2BtvCAI1oYcLl8ZPYrxeH3.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	ZR2BtvCAI1oYcLl8ZPYrxeH3.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\note866.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\PBrowFile15.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	ZR2BtvCAI1oYcLl8ZPYrxeH3.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\LivelyScreenRecS3.0.exe	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
4100	1168	WerFault.exe	85
4204	4784	WerFault.exe
5176	3972	WerFault.exe	80
5284	1168	WerFault.exe	85
5700	1168	WerFault.exe	85
5692	3972	WerFault.exe	80
5204	3972	WerFault.exe	80
5064	1500	WerFault.exe	92
4876	3972	WerFault.exe	80
4408	4236	WerFault.exe	115
1892	1500	WerFault.exe	92
6024	1168	WerFault.exe	85
5056	1168	WerFault.exe	85
1000	1500	WerFault.exe	92
6224	3972	WerFault.exe	80
6384	1168	WerFault.exe	85
6936	6304	WerFault.exe	176
6944	3972	WerFault.exe	80
6300	1168	WerFault.exe	85
6832	3972	WerFault.exe	80
6612	1500	WerFault.exe	92
4444	3972	WerFault.exe	80
6948	1168	WerFault.exe	85
7532	1500	WerFault.exe	92
7432	4600	WerFault.exe	216
1968	3972	WerFault.exe	80
8052	7980	WerFault.exe	249
3076	1168	WerFault.exe	85
37820	23720	Process not Found	791
5828	26068	Process not Found	872
42484	12380	Process not Found	461
40832	16184	Process not Found	564
36988	5700	Process not Found	343
41208	26556	Process not Found	856
42696	192	Process not Found	597
39592	25880	Process not Found	1102
23860	7724	Process not Found	549
35628	17444	Process not Found	1315
41256	36452	Process not Found	1284
30420	23416	Process not Found	745
14628	13732	Process not Found	870
39956	2648	Process not Found	198
41380	21456	Process not Found	869
37740	31516	Process not Found	1159
1640	17788	Process not Found	687
34148	33668	Process not Found	1190
24840	25700	Process not Found	887
36036	20664	Process not Found	695
32472	23916	Process not Found	854
5336	18968	Process not Found	649
37344	36732	Process not Found	1241
24388	26656	Process not Found	957
28584	26092	Process not Found	871
34384	8840	Process not Found	401
32648	16520	Process not Found	608
32304	25420	Process not Found	819
25484	28124	Process not Found	1015
27964	25000	Process not Found	859
18144	25540	Process not Found	810
28016	4724	Process not Found	400
41408	8112	Process not Found	253
23220	20228	Process not Found	672
5316	28968	Process not Found	1035
42656	25852	Process not Found	848

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	HwLYjYmgIcI3kf4orSR4pDSD.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	HwLYjYmgIcI3kf4orSR4pDSD.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	HwLYjYmgIcI3kf4orSR4pDSD.exe

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
5064	schtasks.exe
23744	schtasks.exe
23736	schtasks.exe
4596	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
7824	timeout.exe
5900	Process not Found

Kills process with taskkill 2 IoCs

evasion

pid	Process
5508	taskkill.exe
14344	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Process not Found

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
21056	PING.EXE

Script User-Agent 9 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	155	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	160	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	168	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7495	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	15444	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	153	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	185	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	262	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	8760	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3400	Setup (16).exe
3400	Setup (16).exe
4268	HwLYjYmgIcI3kf4orSR4pDSD.exe
4268	HwLYjYmgIcI3kf4orSR4pDSD.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
4100	WerFault.exe
2764	Process not Found
2764	Process not Found
2764	Process not Found
2764	Process not Found
2764	Process not Found
2764	Process not Found
2764	Process not Found
2764	Process not Found
2764	Process not Found
2764	Process not Found
2764	Process not Found
2764	Process not Found
2764	Process not Found
2764	Process not Found
2764	Process not Found
2764	Process not Found
2764	Process not Found
2764	Process not Found
2764	Process not Found
2764	Process not Found
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe
3076	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2764	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4268	HwLYjYmgIcI3kf4orSR4pDSD.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	owyBeay0bfyTalbBJydNDSGm.exe
Token: SeRestorePrivilege	4100	WerFault.exe
Token: SeBackupPrivilege	4100	WerFault.exe
Token: SeDebugPrivilege	4100	WerFault.exe
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeDebugPrivilege	3076	WerFault.exe
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeDebugPrivilege	5176	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeDebugPrivilege	5284	WerFault.exe
Token: SeDebugPrivilege	2328	T3AnHHlDI8evrL8ZvmvMCni2.exe
Token: SeDebugPrivilege	908	T5K7goVVqqrcVagS9bkD14By.exe
Token: SeDebugPrivilege	2268	9uc3L9Nbj3YxONtj4lXG5Ygd.exe
Token: SeDebugPrivilege	4728	Sx9a5bbbnQN_3oDPc0fl8jt9.exe
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found
Token: SeCreatePagefilePrivilege	2764	Process not Found
Token: SeShutdownPrivilege	2764	Process not Found

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4912	wyUgayLTtPpf1XiVbNAgPsz3.tmp
2764	Process not Found
2764	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 3828	3400	Setup (16).exe	84
PID 3400 wrote to memory of 3828	3400	Setup (16).exe	84
PID 3400 wrote to memory of 3828	3400	Setup (16).exe	84
PID 3400 wrote to memory of 1676	3400	Setup (16).exe	83
PID 3400 wrote to memory of 1676	3400	Setup (16).exe	83
PID 3400 wrote to memory of 3116	3400	Setup (16).exe	82
PID 3400 wrote to memory of 3116	3400	Setup (16).exe	82
PID 3400 wrote to memory of 3116	3400	Setup (16).exe	82
PID 3400 wrote to memory of 2188	3400	Setup (16).exe	81
PID 3400 wrote to memory of 2188	3400	Setup (16).exe	81
PID 3400 wrote to memory of 2188	3400	Setup (16).exe	81
PID 3400 wrote to memory of 3972	3400	Setup (16).exe	80
PID 3400 wrote to memory of 3972	3400	Setup (16).exe	80
PID 3400 wrote to memory of 3972	3400	Setup (16).exe	80
PID 3400 wrote to memory of 4048	3400	Setup (16).exe	79
PID 3400 wrote to memory of 4048	3400	Setup (16).exe	79
PID 3400 wrote to memory of 4048	3400	Setup (16).exe	79
PID 3400 wrote to memory of 1168	3400	Setup (16).exe	85
PID 3400 wrote to memory of 1168	3400	Setup (16).exe	85
PID 3400 wrote to memory of 1168	3400	Setup (16).exe	85
PID 3400 wrote to memory of 1500	3400	Setup (16).exe	92
PID 3400 wrote to memory of 1500	3400	Setup (16).exe	92
PID 3400 wrote to memory of 1500	3400	Setup (16).exe	92
PID 3400 wrote to memory of 908	3400	Setup (16).exe	90
PID 3400 wrote to memory of 908	3400	Setup (16).exe	90
PID 3400 wrote to memory of 908	3400	Setup (16).exe	90
PID 3400 wrote to memory of 2492	3400	Setup (16).exe	89
PID 3400 wrote to memory of 2492	3400	Setup (16).exe	89
PID 3400 wrote to memory of 2492	3400	Setup (16).exe	89
PID 3400 wrote to memory of 2080	3400	Setup (16).exe	87
PID 3400 wrote to memory of 2080	3400	Setup (16).exe	87
PID 3400 wrote to memory of 2080	3400	Setup (16).exe	87
PID 3400 wrote to memory of 4028	3400	Setup (16).exe	102
PID 3400 wrote to memory of 4028	3400	Setup (16).exe	102
PID 3400 wrote to memory of 4028	3400	Setup (16).exe	102
PID 3400 wrote to memory of 2268	3400	Setup (16).exe	96
PID 3400 wrote to memory of 2268	3400	Setup (16).exe	96
PID 3400 wrote to memory of 2268	3400	Setup (16).exe	96
PID 3400 wrote to memory of 3664	3400	Setup (16).exe	101
PID 3400 wrote to memory of 3664	3400	Setup (16).exe	101
PID 3400 wrote to memory of 3664	3400	Setup (16).exe	101
PID 3400 wrote to memory of 200	3400	Setup (16).exe	100
PID 3400 wrote to memory of 200	3400	Setup (16).exe	100
PID 3400 wrote to memory of 200	3400	Setup (16).exe	100
PID 3400 wrote to memory of 2308	3400	Setup (16).exe	97
PID 3400 wrote to memory of 2308	3400	Setup (16).exe	97
PID 3400 wrote to memory of 2308	3400	Setup (16).exe	97
PID 3400 wrote to memory of 1808	3400	Setup (16).exe	99
PID 3400 wrote to memory of 1808	3400	Setup (16).exe	99
PID 3400 wrote to memory of 1808	3400	Setup (16).exe	99
PID 3400 wrote to memory of 2328	3400	Setup (16).exe	98
PID 3400 wrote to memory of 2328	3400	Setup (16).exe	98
PID 3400 wrote to memory of 2328	3400	Setup (16).exe	98
PID 3400 wrote to memory of 644	3400	Setup (16).exe	95
PID 3400 wrote to memory of 644	3400	Setup (16).exe	95
PID 3400 wrote to memory of 644	3400	Setup (16).exe	95
PID 3400 wrote to memory of 208	3400	Setup (16).exe	93
PID 3400 wrote to memory of 208	3400	Setup (16).exe	93
PID 3400 wrote to memory of 208	3400	Setup (16).exe	93
PID 3400 wrote to memory of 2312	3400	Setup (16).exe	473
PID 3400 wrote to memory of 2312	3400	Setup (16).exe	473
PID 3400 wrote to memory of 3480	3400	Setup (16).exe	103
PID 3400 wrote to memory of 3480	3400	Setup (16).exe	103
PID 3400 wrote to memory of 3480	3400	Setup (16).exe	103

C:\Users\Admin\AppData\Local\Temp\Setup (16).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (16).exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
  "C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4048
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4728
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    - Executes dropped EXE
    PID:4472
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    - Executes dropped EXE
    PID:3740
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    - Executes dropped EXE
    PID:5156
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    - Executes dropped EXE
    PID:5520
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    - Executes dropped EXE
    PID:6028
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:5404
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:5684
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:6260
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:6756
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:6540
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:7140
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:6664
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:6752
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:7248
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:7680
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:4572
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:6444
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:6952
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:7764
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:8112
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:7536
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:8352
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:8900
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:9000
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:1432
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:3192
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:6928
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:9096
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:6360
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:8016
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:9384
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:8212
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:9896
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:7396
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:5224
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:6968
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:9516
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:9420
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:10508
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:10916
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:10432
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    - Executes dropped EXE
    PID:3568
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:11024
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:10624
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:10420
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:7828
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:11640
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    - Executes dropped EXE
    PID:4992
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:12044
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:11496
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:12224
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:3272
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:1728
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:8152
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:12936
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:12432
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:9492
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:12824
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:10100
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:10296
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:14088
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:9536
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:14644
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:14108
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:15208
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:14508
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:13908
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:13540
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:6768
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:16092
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:15744
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:16360
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:15588
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:13644
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:16608
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:17136
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:17516
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:18840
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:18252
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:16400
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:20304
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:19656
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:19540
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:20228
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:14908
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:21480
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:20960
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:20664
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:22388
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:21592
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:19752
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:14932
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:9676
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:23324
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:23304
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:21816
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:23528
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:24468
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:20944
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:23592
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:23632
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:25540
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:25300
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:21780
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:23440
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:25864
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:23916
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:26516
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:25476
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:26596
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:13760
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:20848
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:15176
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:16276
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:23784
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:17096
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:26688
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:13044
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:27408
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:24624
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:27464
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:25524
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:28124
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:26060
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:28968
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:30316
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:26900
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:26404
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:29144
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:24060
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:31340
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:32272
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:25880
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:30888
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:28632
- - C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    C:\Users\Admin\Documents\Sx9a5bbbnQN_3oDPc0fl8jt9.exe
    3⤵
    PID:28492
- C:\Users\Admin\Documents\9CLUQhCXnjuQcVWfYFvK6xsM.exe
  "C:\Users\Admin\Documents\9CLUQhCXnjuQcVWfYFvK6xsM.exe"
  2⤵
  - Executes dropped EXE
  PID:3972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 660
    3⤵
    - Program crash
    PID:5176
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 676
    3⤵
    - Program crash
    PID:5692
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 680
    3⤵
    - Program crash
    PID:5204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 716
    3⤵
    - Program crash
    PID:4876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1032
    3⤵
    - Program crash
    PID:6224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1096
    3⤵
    - Program crash
    PID:6944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1216
    3⤵
    - Program crash
    PID:6832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1308
    3⤵
    - Program crash
    PID:4444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1388
    3⤵
    - Program crash
    PID:1968
- C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
  "C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2188
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    - Executes dropped EXE
    PID:5016
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    - Executes dropped EXE
    PID:5192
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    - Executes dropped EXE
    PID:5600
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    - Executes dropped EXE
    PID:6044
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:5396
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:3236
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:4596
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:6412
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:7008
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:6652
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:1288
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:5832
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:5660
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:4600
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 24
      4⤵
      Program crash
      PID:7432
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:7440
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:7896
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:7452
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:8084
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:8056
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:7484
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:8664
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:4136
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:8716
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:6612
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:9072
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:4292
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:2676
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:9220
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:4200
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:9848
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:9292
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:8500
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:9476
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:10244
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:10596
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    - Executes dropped EXE
    PID:428
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:11168
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:10624
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:4784
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:10052
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:8764
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:4660
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:11592
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:12076
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    - Executes dropped EXE
    PID:4772
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:11500
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:11060
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:3512
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:8228
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:1384
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:12636
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:13068
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:12576
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:13196
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:10520
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:4936
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:4816
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:14492
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:14216
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:15024
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:4824
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:3676
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:15692
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:16336
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:4208
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:16224
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:14288
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:16420
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:17136
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:16924
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:18300
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:18880
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:12440
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:19940
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:18324
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:20172
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:20676
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:17760
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:21376
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:21264
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:21620
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:19044
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:22100
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:22348
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:22728
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:22656
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:21044
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:22044
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:20772
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:24436
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:23852
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:23928
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:21488
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:12456
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:25428
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:22684
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:5796
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:26164
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:25660
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:26220
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:22444
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:21572
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:23100
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:20284
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:20460
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:19172
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:25892
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:14512
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:27048
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:13496
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:24100
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:27236
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:27256
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:27896
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:24032
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:28724
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:29416
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:27704
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:30220
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:30416
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:15312
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:31200
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:31980
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:27152
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:31900
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:24980
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:32400
- - C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    C:\Users\Admin\Documents\1COrfeQjxHKqwZwVS34QX2iZ.exe
    3⤵
    PID:32968
- C:\Users\Admin\Documents\mYh61VoYBDRuCbtABUCVKMFD.exe
  "C:\Users\Admin\Documents\mYh61VoYBDRuCbtABUCVKMFD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3116
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\mYh61VoYBDRuCbtABUCVKMFD.exe"
    3⤵
    PID:6568
- C:\Users\Admin\Documents\VE1KbI7iunAmGNj_JodxMnW5.exe
  "C:\Users\Admin\Documents\VE1KbI7iunAmGNj_JodxMnW5.exe"
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
  "C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3828
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    - Executes dropped EXE
    PID:4812
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    - Executes dropped EXE
    PID:5264
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:5948
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:1900
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:5056
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:6708
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:6364
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:2156
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:6184
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:1644
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:6672
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:7768
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:7204
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:7308
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:4156
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:7888
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:4600
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:7668
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:8456
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:8980
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:6836
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:9140
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:8712
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:6660
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:7036
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:6392
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:3984
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:7872
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:9484
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:10016
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:9652
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:9328
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    - Executes dropped EXE
    PID:5888
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:9532
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    - Executes dropped EXE
    PID:5376
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:8468
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    - Executes dropped EXE
    PID:4000
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:10588
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:11068
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:10540
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    - Executes dropped EXE
    PID:4852
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:11128
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:10716
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:5560
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:11364
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    - Executes dropped EXE
    PID:5076
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:11856
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    - Executes dropped EXE
    PID:4756
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:11296
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:12036
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:11796
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:592
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:9880
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:308
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:12520
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:12996
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:12364
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:13056
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:12552
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:13260
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:13336
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:14136
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:11720
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:14680
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:14352
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:15244
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:15308
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:12492
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:12476
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:9640
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:16376
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:15636
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:8500
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:16012
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:6388
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:17676
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:19140
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:14052
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:16792
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:19096
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:19900
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:19420
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:20240
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:17788
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:17712
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:18416
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:21972
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:20644
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:22688
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:22376
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:23408
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:19440
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:18976
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:22732
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:20900
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:23668
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:24244
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:23884
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:24472
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:25388
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:25212
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:19628
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:23120
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:25236
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:24016
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:26196
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:25344
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:13860
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:21364
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:22416
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:20920
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:22460
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:22096
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:20536
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:20352
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:17264
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:22252
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:16584
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:26964
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:27460
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:26944
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:27496
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:20672
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:28392
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:28444
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:28888
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:28428
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:24464
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:30200
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:25676
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:16332
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:31280
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:30880
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:26512
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:19432
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:28236
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:32220
- - C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    C:\Users\Admin\Documents\NOBO1YuDRApbUkmKXmVPM9_U.exe
    3⤵
    PID:31220
- C:\Users\Admin\Documents\j9RDqe9Vv9u2TZutPmelii44.exe
  "C:\Users\Admin\Documents\j9RDqe9Vv9u2TZutPmelii44.exe"
  2⤵
  - Executes dropped EXE
  PID:1168
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 656
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 628
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:5284
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 712
    3⤵
    - Program crash
    PID:5700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 1036
    3⤵
    - Program crash
    PID:6024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 1132
    3⤵
    - Program crash
    PID:5056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 1224
    3⤵
    - Program crash
    PID:6384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 1304
    3⤵
    - Program crash
    PID:6300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 1232
    3⤵
    - Program crash
    PID:6948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 672
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3076
- C:\Users\Admin\Documents\HwLYjYmgIcI3kf4orSR4pDSD.exe
  "C:\Users\Admin\Documents\HwLYjYmgIcI3kf4orSR4pDSD.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2080
- - C:\Users\Admin\Documents\HwLYjYmgIcI3kf4orSR4pDSD.exe
    "C:\Users\Admin\Documents\HwLYjYmgIcI3kf4orSR4pDSD.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:4268
- C:\Users\Admin\Documents\B2yNZfzCmsDLlHaMUMvrc2Va.exe
  "C:\Users\Admin\Documents\B2yNZfzCmsDLlHaMUMvrc2Va.exe"
  2⤵
  - Executes dropped EXE
  PID:2492
- - C:\Users\Admin\Documents\B2yNZfzCmsDLlHaMUMvrc2Va.exe
    "C:\Users\Admin\Documents\B2yNZfzCmsDLlHaMUMvrc2Va.exe"
    3⤵
    PID:7416
- C:\Users\Admin\Documents\T5K7goVVqqrcVagS9bkD14By.exe
  "C:\Users\Admin\Documents\T5K7goVVqqrcVagS9bkD14By.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- C:\Users\Admin\Documents\r8O_DGHrie9WRpv8ExBQ7NX2.exe
  "C:\Users\Admin\Documents\r8O_DGHrie9WRpv8ExBQ7NX2.exe"
  2⤵
  - Executes dropped EXE
  PID:1500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 384
    3⤵
    - Program crash
    PID:5064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 392
    3⤵
    - Program crash
    PID:1892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 440
    3⤵
    - Program crash
    PID:1000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 656
    3⤵
    - Program crash
    PID:6612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 692
    3⤵
    - Program crash
    PID:7532
- C:\Users\Admin\Documents\DlJrJhyZOqBjUoeEUMVOmrRb.exe
  "C:\Users\Admin\Documents\DlJrJhyZOqBjUoeEUMVOmrRb.exe"
  2⤵
  - Executes dropped EXE
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\KBAvfsr.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KBAvfsr.exe"
    3⤵
    - Executes dropped EXE
    PID:4236
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 256
      4⤵
      Program crash
      PID:4408
- C:\Users\Admin\Documents\76Z5YZz6L7UYUVrkuj4dVkh1.exe
  "C:\Users\Admin\Documents\76Z5YZz6L7UYUVrkuj4dVkh1.exe"
  2⤵
  - Executes dropped EXE
  PID:644
- - C:\Users\Admin\Documents\76Z5YZz6L7UYUVrkuj4dVkh1.exe
    "C:\Users\Admin\Documents\76Z5YZz6L7UYUVrkuj4dVkh1.exe" -u
    3⤵
    - Executes dropped EXE
    PID:4888
- C:\Users\Admin\Documents\9uc3L9Nbj3YxONtj4lXG5Ygd.exe
  "C:\Users\Admin\Documents\9uc3L9Nbj3YxONtj4lXG5Ygd.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Users\Admin\Documents\ZR2BtvCAI1oYcLl8ZPYrxeH3.exe
  "C:\Users\Admin\Documents\ZR2BtvCAI1oYcLl8ZPYrxeH3.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2308
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    - Executes dropped EXE
    PID:4372
- - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
    3⤵
    - Executes dropped EXE
    PID:4344
- - C:\Program Files (x86)\Company\NewProduct\inst001.exe
    "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
    3⤵
    - Executes dropped EXE
    PID:4320
- C:\Users\Admin\Documents\T3AnHHlDI8evrL8ZvmvMCni2.exe
  "C:\Users\Admin\Documents\T3AnHHlDI8evrL8ZvmvMCni2.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
  "C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1808
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    - Executes dropped EXE
    PID:4780
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    - Executes dropped EXE
    PID:5440
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    - Executes dropped EXE
    PID:5936
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:5688
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:6304
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6304 -s 24
      4⤵
      Program crash
      PID:6936
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:6828
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:6424
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:2412
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:2648
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:5032
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:7092
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:7348
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:7796
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:7280
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:3624
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:1840
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:5960
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:5484
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:8384
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:8928
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:8324
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:8968
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:8496
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:3668
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:6648
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:8652
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:9264
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:5516
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:9776
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:8128
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:9316
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:5700
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:5316
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:7412
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:7848
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:6776
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    - Executes dropped EXE
    PID:4428
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:10436
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:10804
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:7432
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    - Executes dropped EXE
    PID:2788
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:9196
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:10524
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:10820
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    - Executes dropped EXE
    PID:4724
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:6988
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:11572
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    - Executes dropped EXE
    PID:5008
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:11956
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:11380
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:12148
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:4440
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:11788
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:1620
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:12348
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:12812
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:13248
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:12360
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:13212
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:12672
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:11224
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:14288
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:14400
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:14232
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:14808
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:15356
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:2144
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:12388
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:15048
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:15520
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:16300
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:12032
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:12752
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:4412
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:17624
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:18952
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    - Executes dropped EXE
    PID:4784
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:16544
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:20080
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:19572
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:20764
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:17288
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:21820
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:21520
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:20788
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:21988
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:13840
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:22716
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:22332
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:20588
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:18376
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:23292
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:9372
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:23348
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:23800
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:24664
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:25044
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:24988
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:24460
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:24448
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:17720
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:25900
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:23892
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:26568
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:26092
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:21036
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:25700
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:21608
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:23732
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:13720
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:20212
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:19348
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:18156
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:23692
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:17224
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:16452
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:26680
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:15976
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:13616
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:27392
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:26908
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:27232
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:28168
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:27332
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:28296
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:29016
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:29988
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:30560
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:24116
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:30204
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:26848
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:31376
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:31696
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:32288
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:32164
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:32368
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:26272
- - C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    C:\Users\Admin\Documents\Jf3nQl9M_Fd774xpoBNHVzFR.exe
    3⤵
    PID:32300
- C:\Users\Admin\Documents\CWMyuWT7TBUeMOjjKUeQOcls.exe
  "C:\Users\Admin\Documents\CWMyuWT7TBUeMOjjKUeQOcls.exe"
  2⤵
  - Executes dropped EXE
  PID:200
- C:\Users\Admin\Documents\UTtFxUwBymLVLE3PHvGEl_PW.exe
  "C:\Users\Admin\Documents\UTtFxUwBymLVLE3PHvGEl_PW.exe"
  2⤵
  - Executes dropped EXE
  PID:3664
- - C:\Users\Admin\Documents\UTtFxUwBymLVLE3PHvGEl_PW.exe
    "C:\Users\Admin\Documents\UTtFxUwBymLVLE3PHvGEl_PW.exe"
    3⤵
    PID:6204
- C:\Users\Admin\Documents\tJ8D3S9AV0qsxHCKNdJ8w5rK.exe
  "C:\Users\Admin\Documents\tJ8D3S9AV0qsxHCKNdJ8w5rK.exe"
  2⤵
  - Executes dropped EXE
  PID:4028
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VbsCrIPt: cLOSe( CREAteobjecT ("wScRiPT.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /C tYpe ""C:\Users\Admin\Documents\tJ8D3S9AV0qsxHCKNdJ8w5rK.exe"" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi & if """"== """" for %m in ( ""C:\Users\Admin\Documents\tJ8D3S9AV0qsxHCKNdJ8w5rK.exe"" ) do taskkill /iM ""%~NXm"" -F" ,0 , TRUE ))
    3⤵
    PID:4400
- C:\Users\Admin\Documents\JeuegkOl9zBxFw6VJ6g9AAco.exe
  "C:\Users\Admin\Documents\JeuegkOl9zBxFw6VJ6g9AAco.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3480
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4596
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5064
- C:\Users\Admin\Documents\wyUgayLTtPpf1XiVbNAgPsz3.exe
  "C:\Users\Admin\Documents\wyUgayLTtPpf1XiVbNAgPsz3.exe"
  2⤵
  - Executes dropped EXE
  PID:4820
- - C:\Users\Admin\AppData\Local\Temp\is-GG1V4.tmp\wyUgayLTtPpf1XiVbNAgPsz3.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-GG1V4.tmp\wyUgayLTtPpf1XiVbNAgPsz3.tmp" /SL5="$3029A,138429,56832,C:\Users\Admin\Documents\wyUgayLTtPpf1XiVbNAgPsz3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:4912
  - - C:\Users\Admin\AppData\Local\Temp\is-K3BGI.tmp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-K3BGI.tmp\Setup.exe" /Verysilent
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:5592
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        5⤵
        
        PID:220
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:6472
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:6904
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:6620
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:6436
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:5648
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:6304
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:4400
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:7744
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:7404
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:7296
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7980 -s 160
        7⤵
        Program crash
        
        PID:8052
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:8116
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:936
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:8600
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:9032
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:8432
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:748
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:8796
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:9212
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:6324
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:5036
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:7864
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:6700
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:9724
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:5100
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:9668
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:9932
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:7396
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:10528
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:10932
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:10516
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:8540
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:4588
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:8840
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:5228
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:11740
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12176
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:11716
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:11288
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:9428
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:4936
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:4416
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12380
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12852
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12376
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12764
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:11148
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:13132
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:10288
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14360
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12368
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14780
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:13984
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15340
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15132
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:7724
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14656
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15576
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:16184
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15804
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15912
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:10164
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:192
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:16520
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17400
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17948
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17344
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19196
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:11508
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20056
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19472
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20428
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21120
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:11492
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21732
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22476
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22048
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22700
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23416
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:440
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22688
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21872
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:4124
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23844
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:10468
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24112
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19672
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24048
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25584
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25420
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25092
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24236
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25884
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:26556
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21456
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:26068
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20036
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25892
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:26488
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25784
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20560
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20408
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12240
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19220
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14172
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17084
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:26656
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27320
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25564
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24892
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22952
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:28084
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:28928
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:28092
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:30232
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15896
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:26376
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24408
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:31400
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27628
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:31060
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:31188
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:29096
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:28260
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:32716
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25920
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:32956
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe"
        5⤵
        
        PID:4588
      - C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe" -a
        6⤵
        
        PID:6924
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
        5⤵
        
        PID:2676
      - C:\Users\Admin\AppData\Local\Temp\is-C7CS0.tmp\stats.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-C7CS0.tmp\stats.tmp" /SL5="$203BA,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
        6⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\is-UN9OV.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-UN9OV.tmp\Setup.exe" /Verysilent
        7⤵
        
        PID:8464
        
        C:\Users\Admin\Documents\ufgZzMd7LgL_yglK1Qiipj1E.exe
        
        "C:\Users\Admin\Documents\ufgZzMd7LgL_yglK1Qiipj1E.exe"
        8⤵
        
        PID:11276
        
        C:\Users\Admin\Documents\0JELgDPZrJVoXIfi8_QURpRJ.exe
        
        "C:\Users\Admin\Documents\0JELgDPZrJVoXIfi8_QURpRJ.exe"
        8⤵
        
        PID:12232
        
        C:\Users\Admin\Documents\0JELgDPZrJVoXIfi8_QURpRJ.exe
        
        "C:\Users\Admin\Documents\0JELgDPZrJVoXIfi8_QURpRJ.exe"
        9⤵
        
        PID:5468
        
        C:\Users\Admin\Documents\QZ8IGYxEhD1UIs0yfnpGNym8.exe
        
        "C:\Users\Admin\Documents\QZ8IGYxEhD1UIs0yfnpGNym8.exe"
        8⤵
        
        PID:11584
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCrIPt: cLOSe( CREAteobjecT ("wScRiPT.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /C tYpe ""C:\Users\Admin\Documents\QZ8IGYxEhD1UIs0yfnpGNym8.exe"" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi & if """"== """" for %m in ( ""C:\Users\Admin\Documents\QZ8IGYxEhD1UIs0yfnpGNym8.exe"" ) do taskkill /iM ""%~NXm"" -F" ,0 , TRUE ))
        9⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C tYpe "C:\Users\Admin\Documents\QZ8IGYxEhD1UIs0yfnpGNym8.exe" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi& if ""== "" for %m in ("C:\Users\Admin\Documents\QZ8IGYxEhD1UIs0yfnpGNym8.exe" ) do taskkill /iM "%~NXm" -F
        10⤵
        
        PID:12560
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /iM "QZ8IGYxEhD1UIs0yfnpGNym8.exe" -F
        11⤵
        Kills process with taskkill
        
        PID:14344
        
        C:\Users\Admin\Documents\pQRpXejL_3Bn5mMKCSKfOrcn.exe
        
        "C:\Users\Admin\Documents\pQRpXejL_3Bn5mMKCSKfOrcn.exe"
        8⤵
        
        PID:2348
        
        C:\Users\Admin\Documents\ILXOj7SWLNRw3ji5XG3o6DYO.exe
        
        "C:\Users\Admin\Documents\ILXOj7SWLNRw3ji5XG3o6DYO.exe"
        8⤵
        
        PID:1352
        
        C:\Users\Admin\Documents\ezP619ZlGP5i8umc5nQr25Vh.exe
        
        "C:\Users\Admin\Documents\ezP619ZlGP5i8umc5nQr25Vh.exe"
        8⤵
        
        PID:2516
        
        C:\Users\Admin\Documents\rqa95gfOfeYQ6EZ5NVAkQsnA.exe
        
        "C:\Users\Admin\Documents\rqa95gfOfeYQ6EZ5NVAkQsnA.exe"
        8⤵
        
        PID:11884
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        9⤵
        Creates scheduled task(s)
        
        PID:23744
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        9⤵
        Creates scheduled task(s)
        
        PID:23736
        
        C:\Users\Admin\Documents\JHLNTG324sPZ60pTX8hwG1Fi.exe
        
        "C:\Users\Admin\Documents\JHLNTG324sPZ60pTX8hwG1Fi.exe"
        8⤵
        
        PID:13520
        
        C:\Users\Admin\Documents\JHLNTG324sPZ60pTX8hwG1Fi.exe
        
        "C:\Users\Admin\Documents\JHLNTG324sPZ60pTX8hwG1Fi.exe"
        9⤵
        
        PID:12972
        
        C:\Users\Admin\Documents\JHLNTG324sPZ60pTX8hwG1Fi.exe
        
        "C:\Users\Admin\Documents\JHLNTG324sPZ60pTX8hwG1Fi.exe"
        9⤵
        
        PID:19296
        
        C:\Users\Admin\Documents\3UYcGvnJ6nvLjGPwhDJXkStk.exe
        
        "C:\Users\Admin\Documents\3UYcGvnJ6nvLjGPwhDJXkStk.exe"
        8⤵
        
        PID:13936
        
        C:\Users\Admin\AppData\Local\Temp\is-Q77N3.tmp\3UYcGvnJ6nvLjGPwhDJXkStk.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-Q77N3.tmp\3UYcGvnJ6nvLjGPwhDJXkStk.tmp" /SL5="$306DA,138429,56832,C:\Users\Admin\Documents\3UYcGvnJ6nvLjGPwhDJXkStk.exe"
        9⤵
        
        PID:13580
        
        C:\Users\Admin\Documents\7Yt1F3MgSvn94oqYnYMEgYPn.exe
        
        "C:\Users\Admin\Documents\7Yt1F3MgSvn94oqYnYMEgYPn.exe"
        8⤵
        
        PID:11432
        
        C:\Users\Admin\Documents\ayKubWW6GBIfQnnvjIxzW6Hr.exe
        
        "C:\Users\Admin\Documents\ayKubWW6GBIfQnnvjIxzW6Hr.exe"
        8⤵
        
        PID:13204
        
        C:\Users\Admin\Documents\HZAHc14yFpoeLWsBJtcJIkVw.exe
        
        "C:\Users\Admin\Documents\HZAHc14yFpoeLWsBJtcJIkVw.exe"
        8⤵
        
        PID:12112
        
        C:\Users\Admin\Documents\HZAHc14yFpoeLWsBJtcJIkVw.exe
        
        "C:\Users\Admin\Documents\HZAHc14yFpoeLWsBJtcJIkVw.exe" -u
        9⤵
        
        PID:12976
        
        C:\Users\Admin\Documents\RgIgbronvaqU3qWH_SZMWrQL.exe
        
        "C:\Users\Admin\Documents\RgIgbronvaqU3qWH_SZMWrQL.exe"
        8⤵
        
        PID:13512
        
        C:\Users\Admin\Documents\A1k4w0vHCoptJuG7rVbST0rZ.exe
        
        "C:\Users\Admin\Documents\A1k4w0vHCoptJuG7rVbST0rZ.exe"
        8⤵
        
        PID:13504
        
        C:\Users\Admin\Documents\DBGXLt_16NpBL2Wf3sCfOhOt.exe
        
        "C:\Users\Admin\Documents\DBGXLt_16NpBL2Wf3sCfOhOt.exe"
        8⤵
        
        PID:13484
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        
        "C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe"
        8⤵
        
        PID:13100
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        9⤵
        
        PID:27360
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        9⤵
        
        PID:26984
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        9⤵
        
        PID:26752
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        9⤵
        
        PID:26468
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        9⤵
        
        PID:28228
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        9⤵
        
        PID:29036
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        9⤵
        
        PID:28152
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        9⤵
        
        PID:29392
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        9⤵
        
        PID:30188
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        9⤵
        
        PID:29024
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        9⤵
        
        PID:31364
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        9⤵
        
        PID:31060
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        9⤵
        
        PID:28580
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        9⤵
        
        PID:30064
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        9⤵
        
        PID:31032
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        9⤵
        
        PID:28476
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        9⤵
        
        PID:28636
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        9⤵
        
        PID:31784
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        
        C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
        9⤵
        
        PID:30120
        
        C:\Users\Admin\Documents\6Ah2ev5a7S0G9D9rCbgoaslB.exe
        
        "C:\Users\Admin\Documents\6Ah2ev5a7S0G9D9rCbgoaslB.exe"
        8⤵
        
        PID:11176
        
        C:\Users\Admin\Documents\z5WfCckAb73qW5mTN9i0J1Gp.exe
        
        "C:\Users\Admin\Documents\z5WfCckAb73qW5mTN9i0J1Gp.exe"
        8⤵
        
        PID:12676
        
        C:\Users\Admin\Documents\H1z13_sV_EMgHkh52CuOmHx0.exe
        
        "C:\Users\Admin\Documents\H1z13_sV_EMgHkh52CuOmHx0.exe"
        8⤵
        
        PID:10964
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        
        "C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe"
        8⤵
        
        PID:6852
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        9⤵
        
        PID:26904
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        9⤵
        
        PID:27108
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        9⤵
        
        PID:27220
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        9⤵
        
        PID:28268
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        9⤵
        
        PID:28984
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        9⤵
        
        PID:26292
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        9⤵
        
        PID:28916
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        9⤵
        
        PID:30212
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        9⤵
        
        PID:22412
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        9⤵
        
        PID:27848
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        9⤵
        
        PID:29640
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        9⤵
        
        PID:26972
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        9⤵
        
        PID:31324
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        9⤵
        
        PID:27840
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        9⤵
        
        PID:30516
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        9⤵
        
        PID:21788
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        9⤵
        
        PID:28660
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        9⤵
        
        PID:23816
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        
        C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
        9⤵
        
        PID:31420
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        
        "C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe"
        8⤵
        
        PID:12624
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        9⤵
        
        PID:22828
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        9⤵
        
        PID:27564
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        9⤵
        
        PID:21928
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        9⤵
        
        PID:28400
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        9⤵
        
        PID:27816
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        9⤵
        
        PID:29056
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        9⤵
        
        PID:29412
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        9⤵
        
        PID:30176
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        9⤵
        
        PID:29116
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        9⤵
        
        PID:14908
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        9⤵
        
        PID:31352
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        9⤵
        
        PID:30968
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        9⤵
        
        PID:17368
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        9⤵
        
        PID:28344
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        9⤵
        
        PID:32656
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        9⤵
        
        PID:29592
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        9⤵
        
        PID:29244
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        9⤵
        
        PID:17932
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        
        C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
        9⤵
        
        PID:32844
        
        C:\Users\Admin\Documents\vUfCcUe24DTkLTrL9f5Rq59Z.exe
        
        "C:\Users\Admin\Documents\vUfCcUe24DTkLTrL9f5Rq59Z.exe"
        8⤵
        
        PID:10856
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\note866.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\note866.exe"
        5⤵
        
        PID:5260
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\LivelyScreenRecS3.0.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\LivelyScreenRecS3.0.exe"
        5⤵
        
        PID:5240
      - C:\Users\Admin\AppData\Local\Temp\tmpA14D_tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA14D_tmp.exe"
        6⤵
        
        PID:8844
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\PBrowFile15.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\PBrowFile15.exe"
        5⤵
        
        PID:5360
      - C:\Users\Admin\AppData\Roaming\6479987.exe
        
        "C:\Users\Admin\AppData\Roaming\6479987.exe"
        6⤵
        
        PID:7472
      - C:\Users\Admin\AppData\Roaming\1671985.exe
        
        "C:\Users\Admin\AppData\Roaming\1671985.exe"
        6⤵
        
        PID:7568
      - C:\Users\Admin\AppData\Roaming\8696480.exe
        
        "C:\Users\Admin\AppData\Roaming\8696480.exe"
        6⤵
        
        PID:8640
      - C:\Users\Admin\AppData\Roaming\6891439.exe
        
        "C:\Users\Admin\AppData\Roaming\6891439.exe"
        6⤵
        
        PID:9180
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe"
        5⤵
        
        PID:5268
- C:\Users\Admin\Documents\owyBeay0bfyTalbBJydNDSGm.exe
  "C:\Users\Admin\Documents\owyBeay0bfyTalbBJydNDSGm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C tYpe "C:\Users\Admin\Documents\tJ8D3S9AV0qsxHCKNdJ8w5rK.exe" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi& if ""== "" for %m in ("C:\Users\Admin\Documents\tJ8D3S9AV0qsxHCKNdJ8w5rK.exe" ) do taskkill /iM "%~NXm" -F
1⤵
PID:2836
- C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE
  IQ0v_FE_.ExE -poRsuYEMryiLi
  2⤵
  - Executes dropped EXE
  PID:5624
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VbsCrIPt: cLOSe( CREAteobjecT ("wScRiPT.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /C tYpe ""C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE"" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi & if ""-poRsuYEMryiLi""== """" for %m in ( ""C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE"" ) do taskkill /iM ""%~NXm"" -F" ,0 , TRUE ))
    3⤵
    PID:6096
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C tYpe "C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi& if "-poRsuYEMryiLi"== "" for %m in ("C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE" ) do taskkill /iM "%~NXm" -F
      4⤵
      PID:5468
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" VHTDDahA.G,XBvVyh
    3⤵
    PID:1756
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /iM "tJ8D3S9AV0qsxHCKNdJ8w5rK.exe" -F
  2⤵
  - Kills process with taskkill
  PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 24
1⤵
- Program crash
PID:4204

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6480
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:6552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:6956

C:\Users\Admin\AppData\Roaming\5150799.exe
"C:\Users\Admin\AppData\Roaming\5150799.exe"
1⤵
PID:4636

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
1⤵
- Delays execution with timeout.exe
PID:7824

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:5428
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  PID:8160

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
1⤵
PID:3820

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Pei.xll
1⤵
PID:4448
- C:\Windows\SysWOW64\cmd.exe
  cmd
  2⤵
  PID:10088
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V /R "^HlGEvpOWJOEhLjtMCMDsxiaRDGubGurupaMHjGXUgfrcGybsXUFbdIsmSOwQrdfCLnrzmbAVPJrtrXlnpOAMBGPBqjObFuRXZBJowtRmxKIHEjcVEDHgPDwyIBahIedISyy$" Passa.xll
    3⤵
    PID:15184
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com
    Tra.exe.com o
    3⤵
    PID:4040
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com o
      4⤵
      PID:17736
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com o
        5⤵
        
        PID:24360
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com o
        6⤵
        
        PID:29688
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost
    3⤵
    - Runs ping.exe
    PID:21056

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
1⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\RarSFX1\KBAvfsr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\KBAvfsr.exe"
1⤵
PID:14048

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:15288

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:15128

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:4192

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:13996

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:14908

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:13528

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:2688

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:6288

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:2688

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:15640

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:15776

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:15552

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:15036

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:3244

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:14468

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:13996

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:12040

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:14528

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:14272

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:13280

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:15564

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:16176

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:16672

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:16244

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:16852

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:17460

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:18216

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:16512

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:18048

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:3620

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:19160

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:19268

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:18124

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:18048

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:17280

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:14592

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:17152

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:15108

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:16432

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:17316

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:18968

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:19596

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:19736

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:19988

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:20112

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:20288

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:19516

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:19200

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:16660

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:19968

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:20196

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:16604

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:18372

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:21000

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:14740

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:20608

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:21096

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:21284

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:7464

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:21752

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:21856

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:12232

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:20964

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:18156

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:21680

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:17904

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:22328

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:22316

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:20416

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:20236

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:21848

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:21236

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:20908

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:21044

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:21232

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:22624

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:22832

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:22916

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:20904

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:12956

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:23392

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:21896

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:22504

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:22936

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:21132

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:17148

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:24276

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:18064

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:23468

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:11460

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:21364

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:23720

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:22884

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:24128

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:14628

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:14208

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:10032

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:23336

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:24156

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:25332

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:25488

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:24724

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:23984

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:25248

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:23116

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:24416

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:22144

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:24924

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:13812

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:24256

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:25056

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:24028

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:25852

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:26228

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:26152

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:26524

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:25000

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:25436

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:23572

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:21092

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:21368

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:13732

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:26212

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:26188

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:21648

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:21248

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:21068

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:26504

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:25784

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:25872

C:\Users\Admin\AppData\Local\Temp\RarSFX1\FkDS8ej.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\FkDS8ej.exe"
1⤵
PID:20864

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:24480

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:25732

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:26440

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:20620

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:20592

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:23968

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:11948

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:24516

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:19496

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:18856

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:19940

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:19132

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:19384

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:23160

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:23484

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:23616

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:17000

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:16960

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:26736

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:26936

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:26720

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:15988

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:15852

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:15556

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:15036

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:15088

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:14920

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:15144

C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
C:\Users\Admin\Documents\eZsEdYXR158VP1yHPWrHH5av.exe
1⤵
PID:15136

C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
C:\Users\Admin\Documents\wYP31cYPXEh5kogcKbq7kAe6.exe
1⤵
PID:27480

C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
C:\Users\Admin\Documents\KrC9bR5BPIFtGZTIzkBpXI8S.exe
1⤵
PID:27468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery