glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	kOfXEaDU0u13JlaWCkT13AwN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	kOfXEaDU0u13JlaWCkT13AwN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iYa98gpsLoIdFghhIEfGow1J.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iYa98gpsLoIdFghhIEfGow1J.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uY6J5fCoaNq4TRYQk5wv1ME1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	uY6J5fCoaNq4TRYQk5wv1ME1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	Setup (18).exe

Loads dropped DLL 8 IoCs

pid	Process
2548	IshaTFVLGgqlhUNgo3dznOpD.exe
5700	FVdcIt_v7pzZH2ewD1L3pDGa.tmp
5700	FVdcIt_v7pzZH2ewD1L3pDGa.tmp
13476	Process not Found
13476	Process not Found
13192	Process not Found
18892	Process not Found
18892	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral20/files/0x000100000001ab8f-149.dat	themida
behavioral20/files/0x000100000001ab8c-147.dat	themida
behavioral20/files/0x000100000001ab8c-180.dat	themida
behavioral20/files/0x000100000001ab87-176.dat	themida
behavioral20/files/0x000100000001ab8f-175.dat	themida
behavioral20/files/0x000100000001ab87-137.dat	themida
behavioral20/memory/3964-212-0x0000000000290000-0x0000000000291000-memory.dmp	themida
behavioral20/memory/3704-213-0x0000000000EC0000-0x0000000000EC1000-memory.dmp	themida
behavioral20/memory/2000-217-0x0000000000DB0000-0x0000000000DB1000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	1154428.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uY6J5fCoaNq4TRYQk5wv1ME1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iYa98gpsLoIdFghhIEfGow1J.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kOfXEaDU0u13JlaWCkT13AwN.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
129	api.db-ip.com
382	ipinfo.io
876	ipinfo.io
1590	ipinfo.io
5471	ipinfo.io
120	ip-api.com
125	ipinfo.io
31	api.db-ip.com
32	api.db-ip.com
313	ipinfo.io
1544	ipinfo.io
27	ipinfo.io
28	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3704	kOfXEaDU0u13JlaWCkT13AwN.exe
2000	uY6J5fCoaNq4TRYQk5wv1ME1.exe
3964	iYa98gpsLoIdFghhIEfGow1J.exe
13156	Process not Found

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 3876 set thread context of 4596	3876	KBAvfsr.exe	108
PID 3980 set thread context of 4496	3980	0b7V52kCd5DohAljOqxHU766.exe	105
PID 3240 set thread context of 4504	3240	uneM6VL1X5k6S9L9GCues5xr.exe	106
PID 3752 set thread context of 4616	3752	wwChzDPQCqeubiQgXLudVvRp.exe	109
PID 3240 set thread context of 4708	3240	uneM6VL1X5k6S9L9GCues5xr.exe	110
PID 3240 set thread context of 4980	3240	uneM6VL1X5k6S9L9GCues5xr.exe	115
PID 3752 set thread context of 5028	3752	wwChzDPQCqeubiQgXLudVvRp.exe	116
PID 3240 set thread context of 3940	3240	uneM6VL1X5k6S9L9GCues5xr.exe	120
PID 3980 set thread context of 4680	3980	0b7V52kCd5DohAljOqxHU766.exe	121
PID 3240 set thread context of 4624	3240	uneM6VL1X5k6S9L9GCues5xr.exe	124
PID 3752 set thread context of 544	3752	wwChzDPQCqeubiQgXLudVvRp.exe	135
PID 3240 set thread context of 1756	3240	uneM6VL1X5k6S9L9GCues5xr.exe	185
PID 3980 set thread context of 3144	3980	0b7V52kCd5DohAljOqxHU766.exe	138
PID 3752 set thread context of 5284	3752	wwChzDPQCqeubiQgXLudVvRp.exe	139
PID 3240 set thread context of 5476	3240	uneM6VL1X5k6S9L9GCues5xr.exe	156
PID 3752 set thread context of 5596	3752	wwChzDPQCqeubiQgXLudVvRp.exe	142
PID 3980 set thread context of 5792	3980	0b7V52kCd5DohAljOqxHU766.exe	145
PID 3240 set thread context of 5816	3240	uneM6VL1X5k6S9L9GCues5xr.exe	146
PID 3752 set thread context of 5900	3752	wwChzDPQCqeubiQgXLudVvRp.exe	148
PID 1184 set thread context of 5984	1184	iIyQc5kHablf1FQ7VXOlxEfR.exe	150
PID 3980 set thread context of 6088	3980	0b7V52kCd5DohAljOqxHU766.exe	154
PID 3240 set thread context of 6120	3240	uneM6VL1X5k6S9L9GCues5xr.exe	151
PID 3752 set thread context of 5304	3752	wwChzDPQCqeubiQgXLudVvRp.exe	160
PID 1184 set thread context of 4952	1184	iIyQc5kHablf1FQ7VXOlxEfR.exe	162
PID 3980 set thread context of 5964	3980	0b7V52kCd5DohAljOqxHU766.exe	164
PID 3240 set thread context of 4736	3240	uneM6VL1X5k6S9L9GCues5xr.exe	163
PID 3752 set thread context of 2748	3752	wwChzDPQCqeubiQgXLudVvRp.exe	165
PID 1184 set thread context of 5116	1184	iIyQc5kHablf1FQ7VXOlxEfR.exe	166
PID 3980 set thread context of 5140	3980	0b7V52kCd5DohAljOqxHU766.exe	170
PID 3240 set thread context of 5164	3240	uneM6VL1X5k6S9L9GCues5xr.exe	169
PID 1184 set thread context of 3928	1184	iIyQc5kHablf1FQ7VXOlxEfR.exe	173
PID 3980 set thread context of 5524	3980	0b7V52kCd5DohAljOqxHU766.exe	178
PID 3240 set thread context of 4188	3240	uneM6VL1X5k6S9L9GCues5xr.exe	175
PID 3752 set thread context of 4276	3752	wwChzDPQCqeubiQgXLudVvRp.exe	177
PID 3980 set thread context of 5572	3980	0b7V52kCd5DohAljOqxHU766.exe	182
PID 3240 set thread context of 5520	3240	uneM6VL1X5k6S9L9GCues5xr.exe	181
PID 1184 set thread context of 2956	1184	iIyQc5kHablf1FQ7VXOlxEfR.exe	187
PID 3980 set thread context of 2228	3980	0b7V52kCd5DohAljOqxHU766.exe	195
PID 3240 set thread context of 2252	3240	uneM6VL1X5k6S9L9GCues5xr.exe	192
PID 972 set thread context of 3176	972	rzjSJQNOOTyDuUL3CRcYc4GU.exe	200
PID 3752 set thread context of 1840	3752	wwChzDPQCqeubiQgXLudVvRp.exe	194
PID 3980 set thread context of 6148	3980	0b7V52kCd5DohAljOqxHU766.exe	197
PID 3240 set thread context of 6180	3240	uneM6VL1X5k6S9L9GCues5xr.exe	198
PID 1184 set thread context of 6268	1184	iIyQc5kHablf1FQ7VXOlxEfR.exe	203
PID 3752 set thread context of 6304	3752	wwChzDPQCqeubiQgXLudVvRp.exe	201
PID 3240 set thread context of 6480	3240	uneM6VL1X5k6S9L9GCues5xr.exe	205
PID 3980 set thread context of 6516	3980	0b7V52kCd5DohAljOqxHU766.exe	204
PID 3752 set thread context of 6772	3752	wwChzDPQCqeubiQgXLudVvRp.exe	208
PID 3240 set thread context of 6832	3240	uneM6VL1X5k6S9L9GCues5xr.exe	210
PID 3980 set thread context of 6872	3980	0b7V52kCd5DohAljOqxHU766.exe	209
PID 1184 set thread context of 6944	1184	iIyQc5kHablf1FQ7VXOlxEfR.exe	212
PID 3240 set thread context of 7104	3240	uneM6VL1X5k6S9L9GCues5xr.exe	216
PID 3980 set thread context of 7144	3980	0b7V52kCd5DohAljOqxHU766.exe	213
PID 3752 set thread context of 4868	3752	wwChzDPQCqeubiQgXLudVvRp.exe	214
PID 1184 set thread context of 6204	1184	iIyQc5kHablf1FQ7VXOlxEfR.exe	215
PID 3240 set thread context of 6620	3240	uneM6VL1X5k6S9L9GCues5xr.exe	224
PID 3980 set thread context of 6792	3980	0b7V52kCd5DohAljOqxHU766.exe	221
PID 3752 set thread context of 6540	3752	wwChzDPQCqeubiQgXLudVvRp.exe	217
PID 1184 set thread context of 2960	1184	iIyQc5kHablf1FQ7VXOlxEfR.exe	218
PID 3240 set thread context of 7028	3240	uneM6VL1X5k6S9L9GCues5xr.exe	223
PID 3980 set thread context of 6380	3980	0b7V52kCd5DohAljOqxHU766.exe	222
PID 1184 set thread context of 6344	1184	iIyQc5kHablf1FQ7VXOlxEfR.exe	1497
PID 3752 set thread context of 6616	3752	wwChzDPQCqeubiQgXLudVvRp.exe	226
PID 3980 set thread context of 7152	3980	0b7V52kCd5DohAljOqxHU766.exe	228

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	GZgKom3jHIbu71DqjsY4pN4U.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe	Process not Found
File created	C:\Program Files (x86)\Company\NewProduct\d	Process not Found
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d.INTEG.RAW	Process not Found
File created	C:\Program Files (x86)\SmartPDF\SmartPDF\tmp.edb	Process not Found
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	0b7V52kCd5DohAljOqxHU766.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	0b7V52kCd5DohAljOqxHU766.exe
File created	C:\Program Files (x86)\Company\NewProduct\tmp.edb	Process not Found
File created	C:\Program Files (x86)\Company\NewProduct\d.jfm	Process not Found
File created	C:\Program Files (x86)\SmartPDF\SmartPDF\d	Process not Found
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d.INTEG.RAW	Process not Found
File created	C:\Program Files (x86)\Company\NewProduct\d.jfm	Process not Found
File created	C:\Program Files (x86)\SmartPDF\SmartPDF\d.jfm	Process not Found
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	0b7V52kCd5DohAljOqxHU766.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe	Process not Found
File created	C:\Program Files (x86)\SmartPDF\SmartPDF\Uninstall.ini	Process not Found
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d	Process not Found
File created	C:\Program Files (x86)\Company\NewProduct\tmp.edb	Process not Found
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	0b7V52kCd5DohAljOqxHU766.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\note866.exe	Process not Found
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\PBrowFile15.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d.jfm	Process not Found
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d.jfm	Process not Found
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d	Process not Found
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	GZgKom3jHIbu71DqjsY4pN4U.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst001.exe	0b7V52kCd5DohAljOqxHU766.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe	Process not Found
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\LivelyScreenRecS3.0.exe	Process not Found
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe	Process not Found
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\Uninstall.exe	Process not Found
File created	C:\Program Files (x86)\Company\NewProduct\d	Process not Found
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\d.INTEG.RAW	Process not Found
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\d	Process not Found
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\d.jfm	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
4832	1224	WerFault.exe	81
4424	1224	WerFault.exe	81
4804	1224	WerFault.exe	81
492	1224	WerFault.exe	81
5516	8	WerFault.exe	97
5832	5476	WerFault.exe
5944	8	WerFault.exe	97
5052	4080	WerFault.exe	98
5776	4080	WerFault.exe	98
5248	4080	WerFault.exe	98
5580	8	WerFault.exe	97
5864	4080	WerFault.exe	98
5160	4624	WerFault.exe	124
6068	1224	WerFault.exe	81
4728	8	WerFault.exe	97
6400	4080	WerFault.exe	98
6936	4868	WerFault.exe	214
6800	4080	WerFault.exe	98
3180	8	WerFault.exe	97
7972	8	WerFault.exe	97
7312	7996	WerFault.exe	248
508	3876	WerFault.exe	122
6768	3712	WerFault.exe	84
8780	8360	WerFault.exe	281
2276	8	WerFault.exe	97
1592	8	WerFault.exe	97
5048	9228	WerFault.exe	343
296	4080	WerFault.exe	98
11240	4080	WerFault.exe	98
12148	4080	WerFault.exe	98

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	HHts2h5WUPmmPBJ3I_wk3ix0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	HHts2h5WUPmmPBJ3I_wk3ix0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	HHts2h5WUPmmPBJ3I_wk3ix0.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
4684	schtasks.exe
1296	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
8324	timeout.exe
38660	Process not Found

Kills process with taskkill 1 IoCs

evasion

pid	Process
9780	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Process not Found

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	JZ9kmujNDN_MkAEoY1I7CLtw.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	JZ9kmujNDN_MkAEoY1I7CLtw.exe

Script User-Agent 12 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	380	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	395	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	962	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1588	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1699	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5472	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	331	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	382	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	877	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	894	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	901	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1590	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
740	Setup (18).exe
740	Setup (18).exe
4596	HHts2h5WUPmmPBJ3I_wk3ix0.exe
4596	HHts2h5WUPmmPBJ3I_wk3ix0.exe
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
4832	4O9zBn20a0dHuKmiJDcWfKpz.exe
4832	4O9zBn20a0dHuKmiJDcWfKpz.exe
4832	4O9zBn20a0dHuKmiJDcWfKpz.exe
4832	4O9zBn20a0dHuKmiJDcWfKpz.exe
4832	4O9zBn20a0dHuKmiJDcWfKpz.exe
4832	4O9zBn20a0dHuKmiJDcWfKpz.exe
4832	4O9zBn20a0dHuKmiJDcWfKpz.exe
4832	4O9zBn20a0dHuKmiJDcWfKpz.exe
4832	4O9zBn20a0dHuKmiJDcWfKpz.exe
4832	4O9zBn20a0dHuKmiJDcWfKpz.exe
4832	4O9zBn20a0dHuKmiJDcWfKpz.exe
4832	4O9zBn20a0dHuKmiJDcWfKpz.exe
4832	4O9zBn20a0dHuKmiJDcWfKpz.exe
4832	4O9zBn20a0dHuKmiJDcWfKpz.exe
4832	4O9zBn20a0dHuKmiJDcWfKpz.exe
4832	4O9zBn20a0dHuKmiJDcWfKpz.exe
4832	4O9zBn20a0dHuKmiJDcWfKpz.exe
4832	4O9zBn20a0dHuKmiJDcWfKpz.exe
4832	4O9zBn20a0dHuKmiJDcWfKpz.exe
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2724	Process not Found

Suspicious behavior: MapViewOfSection 19 IoCs

pid	Process
4596	HHts2h5WUPmmPBJ3I_wk3ix0.exe
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	884	PNz8Q9aRVyKTIvCbofT3xNUQ.exe
Token: SeDebugPrivilege	4056	nLERdYlIJdOTDL4mvVAvna2s.exe
Token: SeRestorePrivilege	4832	4O9zBn20a0dHuKmiJDcWfKpz.exe
Token: SeBackupPrivilege	4832	4O9zBn20a0dHuKmiJDcWfKpz.exe
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeDebugPrivilege	4832	4O9zBn20a0dHuKmiJDcWfKpz.exe
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeDebugPrivilege	4424	WerFault.exe
Token: SeDebugPrivilege	4804	WerFault.exe
Token: SeDebugPrivilege	3704	kOfXEaDU0u13JlaWCkT13AwN.exe
Token: SeDebugPrivilege	2000	uY6J5fCoaNq4TRYQk5wv1ME1.exe
Token: SeDebugPrivilege	3964	iYa98gpsLoIdFghhIEfGow1J.exe
Token: SeDebugPrivilege	4504	uneM6VL1X5k6S9L9GCues5xr.exe
Token: SeDebugPrivilege	4708	uneM6VL1X5k6S9L9GCues5xr.exe
Token: SeDebugPrivilege	492	WerFault.exe
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeDebugPrivilege	5248	iIyQc5kHablf1FQ7VXOlxEfR.exe
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeDebugPrivilege	5776	WerFault.exe
Token: SeDebugPrivilege	4980	uneM6VL1X5k6S9L9GCues5xr.exe
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeDebugPrivilege	5052	WerFault.exe
Token: SeDebugPrivilege	3940	uneM6VL1X5k6S9L9GCues5xr.exe
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeShutdownPrivilege	2724	Process not Found
Token: SeCreatePagefilePrivilege	2724	Process not Found
Token: SeDebugPrivilege	5864	WerFault.exe
Token: SeShutdownPrivilege	2724	Process not Found

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
5700	FVdcIt_v7pzZH2ewD1L3pDGa.tmp
2724	Process not Found
2724	Process not Found
2724	Process not Found
2724	Process not Found
13476	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 3848	740	Setup (18).exe	78
PID 740 wrote to memory of 3848	740	Setup (18).exe	78
PID 740 wrote to memory of 3704	740	Setup (18).exe	91
PID 740 wrote to memory of 3704	740	Setup (18).exe	91
PID 740 wrote to memory of 3704	740	Setup (18).exe	91
PID 740 wrote to memory of 3876	740	Setup (18).exe	122
PID 740 wrote to memory of 3876	740	Setup (18).exe	122
PID 740 wrote to memory of 3876	740	Setup (18).exe	122
PID 740 wrote to memory of 3980	740	Setup (18).exe	93
PID 740 wrote to memory of 3980	740	Setup (18).exe	93
PID 740 wrote to memory of 3980	740	Setup (18).exe	93
PID 740 wrote to memory of 4088	740	Setup (18).exe	90
PID 740 wrote to memory of 4088	740	Setup (18).exe	90
PID 740 wrote to memory of 4088	740	Setup (18).exe	90
PID 740 wrote to memory of 4084	740	Setup (18).exe	94
PID 740 wrote to memory of 4084	740	Setup (18).exe	94
PID 740 wrote to memory of 4084	740	Setup (18).exe	94
PID 740 wrote to memory of 4056	740	Setup (18).exe	80
PID 740 wrote to memory of 4056	740	Setup (18).exe	80
PID 740 wrote to memory of 3712	740	Setup (18).exe	84
PID 740 wrote to memory of 3712	740	Setup (18).exe	84
PID 740 wrote to memory of 3712	740	Setup (18).exe	84
PID 740 wrote to memory of 3840	740	Setup (18).exe	83
PID 740 wrote to memory of 3840	740	Setup (18).exe	83
PID 740 wrote to memory of 3840	740	Setup (18).exe	83
PID 740 wrote to memory of 3964	740	Setup (18).exe	92
PID 740 wrote to memory of 3964	740	Setup (18).exe	92
PID 740 wrote to memory of 3964	740	Setup (18).exe	92
PID 740 wrote to memory of 2548	740	Setup (18).exe	82
PID 740 wrote to memory of 2548	740	Setup (18).exe	82
PID 740 wrote to memory of 2548	740	Setup (18).exe	82
PID 740 wrote to memory of 1224	740	Setup (18).exe	81
PID 740 wrote to memory of 1224	740	Setup (18).exe	81
PID 740 wrote to memory of 1224	740	Setup (18).exe	81
PID 740 wrote to memory of 3752	740	Setup (18).exe	88
PID 740 wrote to memory of 3752	740	Setup (18).exe	88
PID 740 wrote to memory of 3752	740	Setup (18).exe	88
PID 740 wrote to memory of 2000	740	Setup (18).exe	85
PID 740 wrote to memory of 2000	740	Setup (18).exe	85
PID 740 wrote to memory of 2000	740	Setup (18).exe	85
PID 740 wrote to memory of 3240	740	Setup (18).exe	89
PID 740 wrote to memory of 3240	740	Setup (18).exe	89
PID 740 wrote to memory of 3240	740	Setup (18).exe	89
PID 740 wrote to memory of 1728	740	Setup (18).exe	87
PID 740 wrote to memory of 1728	740	Setup (18).exe	87
PID 740 wrote to memory of 1728	740	Setup (18).exe	87
PID 740 wrote to memory of 972	740	Setup (18).exe	86
PID 740 wrote to memory of 972	740	Setup (18).exe	86
PID 740 wrote to memory of 972	740	Setup (18).exe	86
PID 740 wrote to memory of 884	740	Setup (18).exe	79
PID 740 wrote to memory of 884	740	Setup (18).exe	79
PID 740 wrote to memory of 4080	740	Setup (18).exe	98
PID 740 wrote to memory of 4080	740	Setup (18).exe	98
PID 740 wrote to memory of 4080	740	Setup (18).exe	98
PID 740 wrote to memory of 8	740	Setup (18).exe	97
PID 740 wrote to memory of 8	740	Setup (18).exe	97
PID 740 wrote to memory of 8	740	Setup (18).exe	97
PID 3752 wrote to memory of 4488	3752	wwChzDPQCqeubiQgXLudVvRp.exe	107
PID 3752 wrote to memory of 4488	3752	wwChzDPQCqeubiQgXLudVvRp.exe	107
PID 3752 wrote to memory of 4488	3752	wwChzDPQCqeubiQgXLudVvRp.exe	107
PID 3980 wrote to memory of 4496	3980	0b7V52kCd5DohAljOqxHU766.exe	105
PID 3980 wrote to memory of 4496	3980	0b7V52kCd5DohAljOqxHU766.exe	105
PID 3980 wrote to memory of 4496	3980	0b7V52kCd5DohAljOqxHU766.exe	105
PID 3240 wrote to memory of 4504	3240	uneM6VL1X5k6S9L9GCues5xr.exe	106

C:\Users\Admin\AppData\Local\Temp\Setup (18).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (18).exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:740
- C:\Users\Admin\Documents\JaUAvwipY09gn9zzGEvRgnJq.exe
  "C:\Users\Admin\Documents\JaUAvwipY09gn9zzGEvRgnJq.exe"
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Users\Admin\Documents\PNz8Q9aRVyKTIvCbofT3xNUQ.exe
  "C:\Users\Admin\Documents\PNz8Q9aRVyKTIvCbofT3xNUQ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- - C:\Users\Admin\AppData\Roaming\7287603.exe
    "C:\Users\Admin\AppData\Roaming\7287603.exe"
    3⤵
    PID:5788
- - C:\Users\Admin\AppData\Roaming\4723136.exe
    "C:\Users\Admin\AppData\Roaming\4723136.exe"
    3⤵
    PID:6072
- - C:\Users\Admin\AppData\Roaming\5002068.exe
    "C:\Users\Admin\AppData\Roaming\5002068.exe"
    3⤵
    PID:4328
- - C:\Users\Admin\AppData\Roaming\1154428.exe
    "C:\Users\Admin\AppData\Roaming\1154428.exe"
    3⤵
    - Adds Run key to start application
    PID:3408
  - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
      4⤵
      PID:10464
- - C:\Users\Admin\AppData\Roaming\3289538.exe
    "C:\Users\Admin\AppData\Roaming\3289538.exe"
    3⤵
    PID:5996
- C:\Users\Admin\Documents\nLERdYlIJdOTDL4mvVAvna2s.exe
  "C:\Users\Admin\Documents\nLERdYlIJdOTDL4mvVAvna2s.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4056
- C:\Users\Admin\Documents\1eDbHgJ50YaTjoE86V2Yn3zE.exe
  "C:\Users\Admin\Documents\1eDbHgJ50YaTjoE86V2Yn3zE.exe"
  2⤵
  - Executes dropped EXE
  PID:1224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 656
    3⤵
    - Program crash
    PID:4832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 672
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:4424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 680
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:4804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 632
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 1080
    3⤵
    - Suspicious use of NtCreateProcessExOtherParentProcess
    - Program crash
    PID:6068
- C:\Users\Admin\Documents\IshaTFVLGgqlhUNgo3dznOpD.exe
  "C:\Users\Admin\Documents\IshaTFVLGgqlhUNgo3dznOpD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\IshaTFVLGgqlhUNgo3dznOpD.exe"
    3⤵
    PID:976
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:8324
- C:\Users\Admin\Documents\4O9zBn20a0dHuKmiJDcWfKpz.exe
  "C:\Users\Admin\Documents\4O9zBn20a0dHuKmiJDcWfKpz.exe"
  2⤵
  - Executes dropped EXE
  PID:3840
- - C:\Users\Admin\Documents\4O9zBn20a0dHuKmiJDcWfKpz.exe
    "C:\Users\Admin\Documents\4O9zBn20a0dHuKmiJDcWfKpz.exe" -u
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4832
- C:\Users\Admin\Documents\JZ9kmujNDN_MkAEoY1I7CLtw.exe
  "C:\Users\Admin\Documents\JZ9kmujNDN_MkAEoY1I7CLtw.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:3712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 900
    3⤵
    - Suspicious use of NtCreateProcessExOtherParentProcess
    - Program crash
    PID:6768
- C:\Users\Admin\Documents\uY6J5fCoaNq4TRYQk5wv1ME1.exe
  "C:\Users\Admin\Documents\uY6J5fCoaNq4TRYQk5wv1ME1.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Users\Admin\Documents\rzjSJQNOOTyDuUL3CRcYc4GU.exe
  "C:\Users\Admin\Documents\rzjSJQNOOTyDuUL3CRcYc4GU.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:972
- - C:\Users\Admin\Documents\rzjSJQNOOTyDuUL3CRcYc4GU.exe
    "C:\Users\Admin\Documents\rzjSJQNOOTyDuUL3CRcYc4GU.exe"
    3⤵
    PID:3176
- C:\Users\Admin\Documents\9Jef0kAT8p8zATMKYHiQ4AtX.exe
  "C:\Users\Admin\Documents\9Jef0kAT8p8zATMKYHiQ4AtX.exe"
  2⤵
  - Executes dropped EXE
  PID:1728
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VbsCrIPt: cLOSe( CREAteobjecT ("wScRiPT.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /C tYpe ""C:\Users\Admin\Documents\9Jef0kAT8p8zATMKYHiQ4AtX.exe"" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi & if """"== """" for %m in ( ""C:\Users\Admin\Documents\9Jef0kAT8p8zATMKYHiQ4AtX.exe"" ) do taskkill /iM ""%~NXm"" -F" ,0 , TRUE ))
    3⤵
    PID:5040
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C tYpe "C:\Users\Admin\Documents\9Jef0kAT8p8zATMKYHiQ4AtX.exe" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi& if ""== "" for %m in ("C:\Users\Admin\Documents\9Jef0kAT8p8zATMKYHiQ4AtX.exe" ) do taskkill /iM "%~NXm" -F
      4⤵
      PID:9036
    - - C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE
        
        IQ0v_FE_.ExE -poRsuYEMryiLi
        5⤵
        
        PID:9248
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCrIPt: cLOSe( CREAteobjecT ("wScRiPT.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /C tYpe ""C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE"" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi & if ""-poRsuYEMryiLi""== """" for %m in ( ""C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE"" ) do taskkill /iM ""%~NXm"" -F" ,0 , TRUE ))
        6⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C tYpe "C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi& if "-poRsuYEMryiLi"== "" for %m in ("C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE" ) do taskkill /iM "%~NXm" -F
        7⤵
        
        PID:14644
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" VHTDDahA.G,XBvVyh
        6⤵
        
        PID:18892
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /iM "9Jef0kAT8p8zATMKYHiQ4AtX.exe" -F
        5⤵
        Kills process with taskkill
        
        PID:9780
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" VHTDDahA.G,XBvVyh
    3⤵
    PID:6336
- C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
  "C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    - Executes dropped EXE
    PID:4488
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    - Executes dropped EXE
    PID:4616
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    - Executes dropped EXE
    PID:5028
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    - Executes dropped EXE
    PID:4548
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    - Executes dropped EXE
    PID:5024
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    - Executes dropped EXE
    PID:544
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    - Executes dropped EXE
    PID:5284
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    - Executes dropped EXE
    PID:5596
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    - Executes dropped EXE
    PID:5900
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    - Executes dropped EXE
    PID:5244
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    - Executes dropped EXE
    PID:5304
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:2748
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:1764
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:4276
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:4160
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:1840
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:6304
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:6772
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:4868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 24
      4⤵
      Program crash
      PID:6936
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:6540
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:6616
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:6780
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:5696
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:7524
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:7956
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:4972
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:7400
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:7956
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:7976
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:7424
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:7736
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:8304
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:8676
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:8904
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:424
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:8972
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:8916
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:8632
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:9480
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:9756
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:10056
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:9448
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:10128
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:9980
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:7448
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:4740
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:2320
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:10332
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:10692
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:10972
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:8172
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:4364
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:7308
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:11164
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:6164
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:11440
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:11908
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:8172
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:11840
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:11528
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:11688
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:11732
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:10620
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:12712
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:13032
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:12652
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:13000
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:12984
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:5368
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:13732
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:14168
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:10844
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:13760
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:7248
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:14548
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:14948
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:14600
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:14404
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:4532
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:11824
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:15460
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:15956
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:15476
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:15812
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:15796
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:15652
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:15368
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:16768
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:17372
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:16928
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:11660
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:12400
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:10404
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:17836
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:18296
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:17740
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:17972
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:7740
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:19064
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:19396
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:18652
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:17360
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:2760
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:12016
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:15440
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:19868
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:20388
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:14384
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:4440
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:11816
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:20064
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:19912
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:19196
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:20856
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:21248
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:20968
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:20092
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:19404
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:21684
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:22128
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:20260
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:21816
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:19936
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:21796
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:19916
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:22804
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:22476
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:23416
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:23104
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:22592
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:22432
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:23584
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:23924
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:24228
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:20516
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:24088
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:22084
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:19236
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:25020
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:19616
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:22616
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:26304
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:672
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:26384
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:23976
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:24304
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:24044
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:27480
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:21368
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:27612
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:25960
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:27872
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:28420
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:24924
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:28000
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:25040
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:20548
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:23884
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:29476
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:29248
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:27548
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:13856
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:29604
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:24620
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:19284
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:28912
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:18500
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:30428
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:28556
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:24996
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:30576
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:28128
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:30504
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:24100
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:11324
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:12228
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:31384
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:24660
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:25012
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:31344
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:29316
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:32120
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:32756
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:31892
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:31424
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:31148
- - C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    C:\Users\Admin\Documents\wwChzDPQCqeubiQgXLudVvRp.exe
    3⤵
    PID:33728
- C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
  "C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4504
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4708
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4980
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3940
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    - Executes dropped EXE
    PID:4624
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 24
      4⤵
      Program crash
      PID:5160
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    - Executes dropped EXE
    PID:5816
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    - Executes dropped EXE
    PID:6120
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    - Executes dropped EXE
    PID:5476
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    - Executes dropped EXE
    PID:4736
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    - Executes dropped EXE
    PID:5640
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:5164
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:4188
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:5520
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    - Executes dropped EXE
    PID:1756
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:2252
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:6180
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:6480
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:6832
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:7104
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:7028
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:6620
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:6956
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:6112
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:6880
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:7688
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:7340
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:7996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7996 -s 24
      4⤵
      Program crash
      PID:7312
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:7244
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:7764
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:8168
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:7480
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:8096
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:6844
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:8248
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:8552
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:8840
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:9176
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:8784
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:8652
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:8752
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:9272
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:9552
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:9824
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:10192
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:9568
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:8868
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:10016
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:9468
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:4148
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:2332
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:10264
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:10580
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:10916
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:10244
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:10652
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:2392
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:10676
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:8616
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:11280
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:11744
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:12104
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:11592
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:12180
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:11896
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:11860
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:11752
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:12516
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:12876
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:13252
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:12940
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:10344
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:12720
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:8828
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:13704
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:14124
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:13756
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:9540
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:13424
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:14452
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:14888
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:14400
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:15092
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:14980
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:14612
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:2188
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:15728
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:16204
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:15652
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:12772
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:15892
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:16060
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:14112
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:16728
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:17348
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:16760
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:16428
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:16792
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:12696
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:17508
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:18032
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:18424
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:8800
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:17768
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:15692
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:18940
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:6116
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:19184
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:9036
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:19208
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:4924
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:19652
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:20036
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:17404
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:19764
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:17712
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:20280
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:19884
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:20216
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:19124
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:20740
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:21232
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:20568
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:20576
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:16300
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:20704
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:21904
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:22440
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:22252
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:21568
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:22236
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:19656
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:18436
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:22880
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:23504
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:22744
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:23156
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:20048
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:20144
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:23288
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:23776
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:24088
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:24528
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:23856
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:24448
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:20516
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:19536
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:25156
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:25572
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:22800
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:21304
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:26288
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:25668
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:26356
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:24704
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:26596
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:22668
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:27360
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:26296
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:26636
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:21592
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:27064
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:28352
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:27840
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:27016
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:25756
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:28532
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:17252
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:23268
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:27992
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:29252
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:29640
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:27744
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:28740
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:22456
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:29296
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:29032
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:25864
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:29424
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:28488
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:25868
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:30316
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:19240
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:26696
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:24840
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:28804
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:30152
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:28580
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:16412
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:30800
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:31304
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:23040
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:2420
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:816
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:17168
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:25568
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:31752
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:32156
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:28560
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:29296
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:18076
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:30744
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:33272
- - C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    C:\Users\Admin\Documents\uneM6VL1X5k6S9L9GCues5xr.exe
    3⤵
    PID:32672
- C:\Users\Admin\Documents\eSSwLFhLo_Zw9QlAY3r5jed4.exe
  "C:\Users\Admin\Documents\eSSwLFhLo_Zw9QlAY3r5jed4.exe"
  2⤵
  - Executes dropped EXE
  PID:4088
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\KBAvfsr.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KBAvfsr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3876
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 264
      4⤵
      Program crash
      PID:508
- C:\Users\Admin\Documents\kOfXEaDU0u13JlaWCkT13AwN.exe
  "C:\Users\Admin\Documents\kOfXEaDU0u13JlaWCkT13AwN.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:3704
- C:\Users\Admin\Documents\iYa98gpsLoIdFghhIEfGow1J.exe
  "C:\Users\Admin\Documents\iYa98gpsLoIdFghhIEfGow1J.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:3964
- C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
  "C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    - Executes dropped EXE
    PID:4496
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    - Executes dropped EXE
    PID:4692
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    - Executes dropped EXE
    PID:4928
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    - Executes dropped EXE
    PID:2300
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    - Executes dropped EXE
    PID:4680
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    - Executes dropped EXE
    PID:4572
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    - Executes dropped EXE
    PID:3144
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    - Executes dropped EXE
    PID:5532
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    - Executes dropped EXE
    PID:5792
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    - Executes dropped EXE
    PID:6088
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    - Executes dropped EXE
    PID:5964
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    - Executes dropped EXE
    PID:5616
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:5140
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:5524
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:5572
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:2228
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:6148
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:6516
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:6872
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:7144
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:6792
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:6380
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:7152
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:6256
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:7228
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:7516
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:7876
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:6824
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:7616
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:2160
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:6880
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:7308
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:4044
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:5680
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:8360
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8360 -s 24
      4⤵
      Program crash
      PID:8780
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:8744
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:8992
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:8520
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:8280
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4264
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:6820
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:9520
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:9788
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:10104
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:9492
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:10140
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:5656
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:7960
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:1640
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:1456
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:10296
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:10600
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:10904
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:11256
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:10788
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:10288
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:8172
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:4784
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:7296
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:11696
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:12072
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:11532
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:12004
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:11932
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:12176
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:10408
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:12440
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:12824
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:13208
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:12620
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:12308
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:7976
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:12412
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:13664
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:14140
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:13492
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:14308
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:6024
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:14492
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:14912
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:14424
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:15140
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:14688
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:14020
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:7588
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:15668
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:16148
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:8584
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:16024
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:10576
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:7748
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:16480
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:17100
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:16668
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:12944
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:17096
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:17348
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:17424
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:17956
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:18356
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:17588
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:7952
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:7356
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:18824
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:19308
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:6544
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:9704
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:18832
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:17272
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:18704
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:19672
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:20100
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:19564
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:20160
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:16904
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:14468
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:15208
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:7368
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:11812
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:20580
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:21032
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:17616
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:21272
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:21296
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:12600
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:21708
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:22108
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:13132
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:22012
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:22032
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:22004
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:17952
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:22548
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:22960
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:23436
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:22788
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:23224
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:22824
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:22620
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:14824
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:23656
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:24024
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:24472
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:23736
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:24180
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:21664
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:24340
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:24892
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:25452
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:24696
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:23080
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:25952
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:26580
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:15776
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:21048
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:25856
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:23864
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:25524
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:27444
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:23824
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:27544
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:27264
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:27132
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:28232
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:28632
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:28036
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:10596
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:28176
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:26576
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:26092
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:29212
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:29616
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:25872
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:27372
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:28980
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:29128
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:29060
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:29160
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:23728
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:28804
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:30068
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:30508
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:27504
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:29756
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:28308
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:26052
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:29860
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:30124
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:25932
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:31008
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:31504
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:27788
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:31220
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:27028
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:29376
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:29800
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:32196
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:19316
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:29612
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:28924
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:32272
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:33100
- - C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    C:\Users\Admin\Documents\0b7V52kCd5DohAljOqxHU766.exe
    3⤵
    PID:33552
- C:\Users\Admin\Documents\GZgKom3jHIbu71DqjsY4pN4U.exe
  "C:\Users\Admin\Documents\GZgKom3jHIbu71DqjsY4pN4U.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4084
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4684
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1296
- C:\Users\Admin\Documents\HHts2h5WUPmmPBJ3I_wk3ix0.exe
  "C:\Users\Admin\Documents\HHts2h5WUPmmPBJ3I_wk3ix0.exe"
  2⤵
  PID:3876
- - C:\Users\Admin\Documents\HHts2h5WUPmmPBJ3I_wk3ix0.exe
    "C:\Users\Admin\Documents\HHts2h5WUPmmPBJ3I_wk3ix0.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:4596
- C:\Users\Admin\Documents\DYkZKW2Jtrz8zynYHTtFCkw_.exe
  "C:\Users\Admin\Documents\DYkZKW2Jtrz8zynYHTtFCkw_.exe"
  2⤵
  - Executes dropped EXE
  PID:8
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 396
    3⤵
    - Program crash
    PID:5516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 252
    3⤵
    - Program crash
    PID:5944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 432
    3⤵
    - Program crash
    PID:5580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 624
    3⤵
    - Program crash
    PID:4728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 636
    3⤵
    - Program crash
    PID:3180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 624
    3⤵
    - Program crash
    PID:7972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 692
    3⤵
    - Program crash
    PID:2276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 700
    3⤵
    - Program crash
    PID:1592
- C:\Users\Admin\Documents\jxO918J8OPe3sYkKEjk9yikv.exe
  "C:\Users\Admin\Documents\jxO918J8OPe3sYkKEjk9yikv.exe"
  2⤵
  - Executes dropped EXE
  PID:4080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 636
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:5052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 676
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:5776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 664
    3⤵
    - Program crash
    PID:5248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 648
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:5864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 892
    3⤵
    - Program crash
    PID:6400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 896
    3⤵
    - Program crash
    PID:6800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1184
    3⤵
    - Program crash
    PID:296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1224
    3⤵
    - Program crash
    PID:11240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1340
    3⤵
    - Program crash
    PID:12148
- C:\Users\Admin\Documents\y60vZG2qI7WcQW9mlJ6eEYh2.exe
  "C:\Users\Admin\Documents\y60vZG2qI7WcQW9mlJ6eEYh2.exe"
  2⤵
  PID:4264
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    PID:8364
- - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
    3⤵
    PID:3932
- - C:\Program Files (x86)\Company\NewProduct\inst001.exe
    "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
    3⤵
    PID:4092
- C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
  "C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1184
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    - Executes dropped EXE
    PID:5984
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    - Executes dropped EXE
    PID:1220
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    - Executes dropped EXE
    PID:4952
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:5116
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:3928
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:3176
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:2956
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:2868
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:6268
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:6676
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:6944
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:6204
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:2960
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:6344
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:7000
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:6664
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:7400
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:7720
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:8044
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:6800
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:2860
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5248
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:7304
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:7628
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:1724
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:8216
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:8476
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:8812
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:9088
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:8672
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:8596
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:8312
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:8480
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:9508
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:9816
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:10160
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:8480
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:5372
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:9452
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:9228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9228 -s 24
      4⤵
      Program crash
      PID:5048
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:9448
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:3368
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:3628
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:10552
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:10860
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:11180
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:10724
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:5096
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:3628
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:756
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:296
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:11664
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:12020
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:11380
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:11956
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:7676
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:11796
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:8404
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:12372
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:12748
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:13140
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:12720
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:12964
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:11668
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:12424
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:13532
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:13980
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:11452
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:13536
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:12144
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:9288
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:14680
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:15036
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:13336
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:14448
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:9872
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:9184
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:15384
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:15824
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:16328
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:15744
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:12820
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:15612
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:10348
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:16504
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:17136
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:7668
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:14104
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:16868
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:15264
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:14176
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:17924
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:18400
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:17728
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:17756
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:17308
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:18840
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:19328
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:15456
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:19216
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:19148
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:15444
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:9648
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:19904
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:20360
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:19596
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:20352
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:20084
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:20336
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:20012
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:15880
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:20304
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:20700
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:21128
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:20752
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:21032
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:20560
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:21280
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:21852
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:22396
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:22088
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:22464
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:19108
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:20924
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:20384
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:22764
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:17644
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:23060
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:23364
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:15528
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:23356
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:23188
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:22084
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:23908
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:24196
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:22000
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:19024
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:24540
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:20716
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:24216
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:25112
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:24332
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:25220
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:25736
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:26232
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:7376
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:25188
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:23852
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:25172
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:24184
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:27052
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:27512
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:27200
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:16368
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:26956
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:28244
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:27808
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:25704
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:27988
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:28572
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:24708
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:25096
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:27856
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:28928
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:29500
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:23592
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:29040
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:25892
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:28336
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:25908
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:27456
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:21500
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:22356
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:30464
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:24436
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:26688
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:30356
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:29400
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:24840
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:25448
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:27312
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:31020
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:31532
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:24308
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:31712
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:27972
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:26368
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:32088
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:32548
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:32204
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:30564
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:20448
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:29076
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:33220
- - C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    C:\Users\Admin\Documents\iIyQc5kHablf1FQ7VXOlxEfR.exe
    3⤵
    PID:29916
- C:\Users\Admin\Documents\FVdcIt_v7pzZH2ewD1L3pDGa.exe
  "C:\Users\Admin\Documents\FVdcIt_v7pzZH2ewD1L3pDGa.exe"
  2⤵
  - Executes dropped EXE
  PID:5440
- - C:\Users\Admin\AppData\Local\Temp\is-PPNAK.tmp\FVdcIt_v7pzZH2ewD1L3pDGa.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-PPNAK.tmp\FVdcIt_v7pzZH2ewD1L3pDGa.tmp" /SL5="$1030E,138429,56832,C:\Users\Admin\Documents\FVdcIt_v7pzZH2ewD1L3pDGa.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:5700
  - - C:\Users\Admin\AppData\Local\Temp\is-7BK6M.tmp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-7BK6M.tmp\Setup.exe" /Verysilent
      4⤵
      PID:11448
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
        5⤵
        
        PID:6736
      - C:\Users\Admin\AppData\Local\Temp\is-JJHTI.tmp\stats.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JJHTI.tmp\stats.tmp" /SL5="$205D4,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
        6⤵
        
        PID:13476
        
        C:\Users\Admin\AppData\Local\Temp\is-Q4GVS.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-Q4GVS.tmp\Setup.exe" /Verysilent
        7⤵
        
        PID:25676
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\note866.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\note866.exe"
        5⤵
        
        PID:10752
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\LivelyScreenRecS3.0.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\LivelyScreenRecS3.0.exe"
        5⤵
        
        PID:9116
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe"
        5⤵
        
        PID:9648
      - C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe" -a
        6⤵
        
        PID:18476
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\PBrowFile15.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\PBrowFile15.exe"
        5⤵
        
        PID:12816
      - C:\Users\Admin\AppData\Roaming\8520361.exe
        
        "C:\Users\Admin\AppData\Roaming\8520361.exe"
        6⤵
        
        PID:23992
      - C:\Users\Admin\AppData\Roaming\5024854.exe
        
        "C:\Users\Admin\AppData\Roaming\5024854.exe"
        6⤵
        
        PID:24580
      - C:\Users\Admin\AppData\Roaming\7842462.exe
        
        "C:\Users\Admin\AppData\Roaming\7842462.exe"
        6⤵
        
        PID:24676
      - C:\Users\Admin\AppData\Roaming\3131613.exe
        
        "C:\Users\Admin\AppData\Roaming\3131613.exe"
        6⤵
        
        PID:24736
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe"
        5⤵
        
        PID:13192
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        5⤵
        
        PID:12588
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12812
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:13772
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14100
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14340
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14796
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15120
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15192
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14984
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:11852
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15160
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15748
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:16168
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15636
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:5292
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14188
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:16108
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:16584
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17208
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14884
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:16632
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14408
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:13956
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17900
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:18340
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17704
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:18120
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:11280
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:18984
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:16364
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12808
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:9648
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:1096
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:16020
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19540
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19960
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:7048
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19932
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20360
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20288
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:16800
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12604
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:16888
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20612
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21088
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19036
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21388
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21012
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20540
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21812
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22316
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20372
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20464
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22524
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21256
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:16304
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22660
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23132
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19516
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20516
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23252
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20300
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20528
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:16280
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23880
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24132
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20656
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24244
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14824
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20044
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24564
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25192
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24368
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25528
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25804
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:26220
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:2400
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:26476
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:26620
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15684
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24804
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25596
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27416
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24060
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25240
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27172
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15296
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:28140
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:28564
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:28468
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:28260
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27984
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:26540
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25880
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24948
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:29024
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:29552
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:26684
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:29528
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24140
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27892
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:18804
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:26388
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:28756
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:28172
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:30144
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:30604
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27860
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:30272
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:29300
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:30184
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:30116
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:26932
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:30500
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:31068
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:31436
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:30980
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:31652
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:30816
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:30920
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:31688
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:31972
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:32636
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:30912
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:11588
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21444
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:32920
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:33412
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:32436
- C:\Users\Admin\Documents\kFJ8_sTvl8h0EcdRlUk4Xp9O.exe
  "C:\Users\Admin\Documents\kFJ8_sTvl8h0EcdRlUk4Xp9O.exe"
  2⤵
  - Executes dropped EXE
  PID:908
- - C:\Users\Admin\Documents\kFJ8_sTvl8h0EcdRlUk4Xp9O.exe
    "C:\Users\Admin\Documents\kFJ8_sTvl8h0EcdRlUk4Xp9O.exe"
    3⤵
    PID:7360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 24
1⤵
- Program crash
PID:5832

C:\Users\Admin\AppData\Local\Temp\2CD5.exe
C:\Users\Admin\AppData\Local\Temp\2CD5.exe
1⤵
PID:13156

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:14080

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:14276

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4612

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:14316

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:13572

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:14212

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:14376

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:14536

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:14704

C:\Users\Admin\AppData\Roaming\datiebg
C:\Users\Admin\AppData\Roaming\datiebg
1⤵
PID:10492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery