glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AOsLcG38aoNZmIiF1kbO6uNV.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AOsLcG38aoNZmIiF1kbO6uNV.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iabFHy2805TPsvM_ufKJiw9O.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iabFHy2805TPsvM_ufKJiw9O.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	Setup (11).exe

Loads dropped DLL 1 IoCs

pid	Process
4460	ApnV2HSTGkKkv8dt3Hdbi255.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral6/files/0x000100000001ab59-123.dat	themida
behavioral6/files/0x000100000001ab69-140.dat	themida
behavioral6/files/0x000100000001ab5f-147.dat	themida
behavioral6/files/0x000100000001ab69-165.dat	themida
behavioral6/files/0x000100000001ab5f-172.dat	themida
behavioral6/files/0x000100000001ab59-153.dat	themida
behavioral6/memory/3524-224-0x0000000000EE0000-0x0000000000EE1000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AOsLcG38aoNZmIiF1kbO6uNV.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iabFHy2805TPsvM_ufKJiw9O.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 12 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2296	ipinfo.io
7184	ipinfo.io
30	ipinfo.io
34	api.db-ip.com
126	ipinfo.io
127	ipinfo.io
1090	ipinfo.io
31	ipinfo.io
35	api.db-ip.com
121	ip-api.com
1004	ipinfo.io
6060	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3524	AOsLcG38aoNZmIiF1kbO6uNV.exe
4008	iabFHy2805TPsvM_ufKJiw9O.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2916 set thread context of 4668	2916	uDBVt9F9zPtqnWkZuZ3a0NFJ.exe	109
PID 2908 set thread context of 4848	2908	294vzZ8KUJ_4DGm0cUbGyxML.exe	114
PID 4104 set thread context of 4724	4104	SfBKixOqlVw_z2jGCLzD274s.exe	111
PID 3652 set thread context of 4744	3652	GAx4AEPoG1A1sE0p9SKyWeQU.exe	110
PID 2916 set thread context of 4768	2916	uDBVt9F9zPtqnWkZuZ3a0NFJ.exe	112
PID 4292 set thread context of 4812	4292	fHf_i2PODuD9xeyuL2BBDDPc.exe	113
PID 3652 set thread context of 5008	3652	GAx4AEPoG1A1sE0p9SKyWeQU.exe	151
PID 4104 set thread context of 4984	4104	SfBKixOqlVw_z2jGCLzD274s.exe	152
PID 4292 set thread context of 2616	4292	fHf_i2PODuD9xeyuL2BBDDPc.exe	117
PID 2916 set thread context of 4572	2916	uDBVt9F9zPtqnWkZuZ3a0NFJ.exe	118
PID 4292 set thread context of 4676	4292	fHf_i2PODuD9xeyuL2BBDDPc.exe	119
PID 3652 set thread context of 5052	3652	GAx4AEPoG1A1sE0p9SKyWeQU.exe	120
PID 2916 set thread context of 3088	2916	uDBVt9F9zPtqnWkZuZ3a0NFJ.exe	121
PID 3652 set thread context of 4596	3652	GAx4AEPoG1A1sE0p9SKyWeQU.exe	146
PID 4104 set thread context of 4660	4104	SfBKixOqlVw_z2jGCLzD274s.exe	144
PID 2916 set thread context of 4788	2916	uDBVt9F9zPtqnWkZuZ3a0NFJ.exe	128
PID 4292 set thread context of 3924	4292	fHf_i2PODuD9xeyuL2BBDDPc.exe	129
PID 3652 set thread context of 5200	3652	GAx4AEPoG1A1sE0p9SKyWeQU.exe	130
PID 4104 set thread context of 5232	4104	SfBKixOqlVw_z2jGCLzD274s.exe	140
PID 2916 set thread context of 5268	2916	uDBVt9F9zPtqnWkZuZ3a0NFJ.exe	131
PID 4292 set thread context of 5368	4292	fHf_i2PODuD9xeyuL2BBDDPc.exe	132
PID 4104 set thread context of 5644	4104	SfBKixOqlVw_z2jGCLzD274s.exe	138
PID 2916 set thread context of 5668	2916	uDBVt9F9zPtqnWkZuZ3a0NFJ.exe	136
PID 3652 set thread context of 5696	3652	GAx4AEPoG1A1sE0p9SKyWeQU.exe	137
PID 4104 set thread context of 5980	4104	SfBKixOqlVw_z2jGCLzD274s.exe	148
PID 4292 set thread context of 6092	4292	fHf_i2PODuD9xeyuL2BBDDPc.exe	157
PID 3652 set thread context of 6112	3652	GAx4AEPoG1A1sE0p9SKyWeQU.exe	318
PID 4104 set thread context of 5152	4104	SfBKixOqlVw_z2jGCLzD274s.exe	155
PID 2916 set thread context of 5436	2916	uDBVt9F9zPtqnWkZuZ3a0NFJ.exe	162
PID 4292 set thread context of 5224	4292	fHf_i2PODuD9xeyuL2BBDDPc.exe	197
PID 4104 set thread context of 936	4104	SfBKixOqlVw_z2jGCLzD274s.exe	198
PID 3652 set thread context of 3888	3652	GAx4AEPoG1A1sE0p9SKyWeQU.exe	163
PID 2916 set thread context of 5712	2916	uDBVt9F9zPtqnWkZuZ3a0NFJ.exe	164
PID 4104 set thread context of 5924	4104	SfBKixOqlVw_z2jGCLzD274s.exe	189
PID 3652 set thread context of 6012	3652	GAx4AEPoG1A1sE0p9SKyWeQU.exe	166
PID 2916 set thread context of 5360	2916	uDBVt9F9zPtqnWkZuZ3a0NFJ.exe	167
PID 4104 set thread context of 4216	4104	SfBKixOqlVw_z2jGCLzD274s.exe	169
PID 3652 set thread context of 5824	3652	GAx4AEPoG1A1sE0p9SKyWeQU.exe	171
PID 2916 set thread context of 3296	2916	uDBVt9F9zPtqnWkZuZ3a0NFJ.exe	188
PID 4292 set thread context of 5932	4292	fHf_i2PODuD9xeyuL2BBDDPc.exe	172
PID 4104 set thread context of 4360	4104	SfBKixOqlVw_z2jGCLzD274s.exe	173
PID 3652 set thread context of 3332	3652	GAx4AEPoG1A1sE0p9SKyWeQU.exe	176
PID 2916 set thread context of 5500	2916	uDBVt9F9zPtqnWkZuZ3a0NFJ.exe	178
PID 4292 set thread context of 4172	4292	fHf_i2PODuD9xeyuL2BBDDPc.exe	177
PID 4104 set thread context of 5616	4104	SfBKixOqlVw_z2jGCLzD274s.exe	187
PID 2916 set thread context of 6304	2916	uDBVt9F9zPtqnWkZuZ3a0NFJ.exe	185
PID 4292 set thread context of 6328	4292	fHf_i2PODuD9xeyuL2BBDDPc.exe	182
PID 4104 set thread context of 6448	4104	SfBKixOqlVw_z2jGCLzD274s.exe	184
PID 212 set thread context of 6696	212	8ldLkP6tzyD56cfH67QxsmAR.exe	191
PID 3652 set thread context of 6628	3652	GAx4AEPoG1A1sE0p9SKyWeQU.exe	194
PID 2916 set thread context of 6640	2916	uDBVt9F9zPtqnWkZuZ3a0NFJ.exe	190
PID 4292 set thread context of 6668	4292	fHf_i2PODuD9xeyuL2BBDDPc.exe	193
PID 1620 set thread context of 6972	1620	_Fhlkg9cAaHNTzam8qia1dEX.exe	228
PID 2916 set thread context of 6956	2916	uDBVt9F9zPtqnWkZuZ3a0NFJ.exe	229
PID 4292 set thread context of 6984	4292	fHf_i2PODuD9xeyuL2BBDDPc.exe	199
PID 4104 set thread context of 7016	4104	SfBKixOqlVw_z2jGCLzD274s.exe	202
PID 4292 set thread context of 6028	4292	fHf_i2PODuD9xeyuL2BBDDPc.exe	207
PID 4104 set thread context of 6204	4104	SfBKixOqlVw_z2jGCLzD274s.exe	203
PID 3652 set thread context of 6244	3652	GAx4AEPoG1A1sE0p9SKyWeQU.exe	206
PID 2916 set thread context of 5020	2916	uDBVt9F9zPtqnWkZuZ3a0NFJ.exe	208
PID 4104 set thread context of 4208	4104	SfBKixOqlVw_z2jGCLzD274s.exe	211
PID 2916 set thread context of 4120	2916	uDBVt9F9zPtqnWkZuZ3a0NFJ.exe	217
PID 4292 set thread context of 7008	4292	fHf_i2PODuD9xeyuL2BBDDPc.exe	213
PID 3652 set thread context of 7140	3652	GAx4AEPoG1A1sE0p9SKyWeQU.exe	215

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	P2o7pIiCfsE8vlqW4nfD_9WM.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	fHf_i2PODuD9xeyuL2BBDDPc.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	fHf_i2PODuD9xeyuL2BBDDPc.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst001.exe	P2o7pIiCfsE8vlqW4nfD_9WM.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	P2o7pIiCfsE8vlqW4nfD_9WM.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	P2o7pIiCfsE8vlqW4nfD_9WM.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	P2o7pIiCfsE8vlqW4nfD_9WM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 36 IoCs

pid	pid_target	Process	procid_target
5092	2260	WerFault.exe	78
5036	2260	WerFault.exe	78
4788	4984	WerFault.exe
5180	2260	WerFault.exe	78
5928	2260	WerFault.exe	78
6100	5644	WerFault.exe	138
5440	6112	WerFault.exe	153
5556	804	WerFault.exe	87
5616	680	WerFault.exe	86
6160	804	WerFault.exe	87
6468	2260	WerFault.exe	78
6844	804	WerFault.exe	87
6604	680	WerFault.exe	86
4776	2260	WerFault.exe	78
6428	680	WerFault.exe	86
6724	804	WerFault.exe	87
6456	7008	WerFault.exe	213
6372	680	WerFault.exe	86
7668	804	WerFault.exe	87
7904	680	WerFault.exe	86
7456	4764	WerFault.exe	259
8336	680	WerFault.exe	86
8684	6208	WerFault.exe	274
8812	8400	WerFault.exe	281
8568	7032	WerFault.exe	293
472	8836	WerFault.exe	298
10088	5940	WerFault.exe	174
10956	680	WerFault.exe	86
10456	680	WerFault.exe	86
11196	2216	WerFault.exe	83
9588	2260	WerFault.exe	78
12336	2260	WerFault.exe	78
13056	2260	WerFault.exe	78
12544	804	WerFault.exe	87
13680	10792	WerFault.exe	471
14240	6696	WerFault.exe	191

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	294vzZ8KUJ_4DGm0cUbGyxML.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	294vzZ8KUJ_4DGm0cUbGyxML.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	294vzZ8KUJ_4DGm0cUbGyxML.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
5092	schtasks.exe
3624	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
15320	timeout.exe
39512	Process not Found

Kills process with taskkill 1 IoCs

evasion

pid	Process
11528	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Process not Found

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	1078	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1115	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	2297	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7047	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
996	Setup (11).exe
996	Setup (11).exe
4848	294vzZ8KUJ_4DGm0cUbGyxML.exe
4848	294vzZ8KUJ_4DGm0cUbGyxML.exe
5092	schtasks.exe
5092	schtasks.exe
5092	schtasks.exe
5092	schtasks.exe
5092	schtasks.exe
5092	schtasks.exe
5092	schtasks.exe
5092	schtasks.exe
5092	schtasks.exe
5092	schtasks.exe
5092	schtasks.exe
5092	schtasks.exe
5092	schtasks.exe
5092	schtasks.exe
5092	schtasks.exe
5092	schtasks.exe
5092	schtasks.exe
5092	schtasks.exe
5092	schtasks.exe
5092	schtasks.exe
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found
2180	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4848	294vzZ8KUJ_4DGm0cUbGyxML.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	GAx4AEPoG1A1sE0p9SKyWeQU.exe
Token: SeDebugPrivilege	4160	fA_gAkCbziZJoI9Js71c5g3A.exe
Token: SeRestorePrivilege	5092	schtasks.exe
Token: SeBackupPrivilege	5092	schtasks.exe
Token: SeDebugPrivilege	5092	schtasks.exe
Token: SeShutdownPrivilege	2180	Process not Found
Token: SeCreatePagefilePrivilege	2180	Process not Found
Token: SeShutdownPrivilege	2180	Process not Found
Token: SeCreatePagefilePrivilege	2180	Process not Found
Token: SeShutdownPrivilege	2180	Process not Found
Token: SeCreatePagefilePrivilege	2180	Process not Found
Token: SeShutdownPrivilege	2180	Process not Found
Token: SeCreatePagefilePrivilege	2180	Process not Found
Token: SeShutdownPrivilege	2180	Process not Found
Token: SeCreatePagefilePrivilege	2180	Process not Found
Token: SeShutdownPrivilege	2180	Process not Found
Token: SeCreatePagefilePrivilege	2180	Process not Found
Token: SeShutdownPrivilege	2180	Process not Found
Token: SeCreatePagefilePrivilege	2180	Process not Found
Token: SeDebugPrivilege	5036	WerFault.exe
Token: SeShutdownPrivilege	2180	Process not Found
Token: SeCreatePagefilePrivilege	2180	Process not Found
Token: SeShutdownPrivilege	2180	Process not Found
Token: SeCreatePagefilePrivilege	2180	Process not Found
Token: SeShutdownPrivilege	2180	Process not Found
Token: SeCreatePagefilePrivilege	2180	Process not Found
Token: SeShutdownPrivilege	2180	Process not Found
Token: SeCreatePagefilePrivilege	2180	Process not Found
Token: SeShutdownPrivilege	2180	Process not Found
Token: SeCreatePagefilePrivilege	2180	Process not Found
Token: SeDebugPrivilege	5180	WerFault.exe
Token: SeDebugPrivilege	3524	AOsLcG38aoNZmIiF1kbO6uNV.exe
Token: SeShutdownPrivilege	2180	Process not Found
Token: SeCreatePagefilePrivilege	2180	Process not Found
Token: SeShutdownPrivilege	2180	Process not Found
Token: SeCreatePagefilePrivilege	2180	Process not Found
Token: SeShutdownPrivilege	2180	Process not Found
Token: SeCreatePagefilePrivilege	2180	Process not Found
Token: SeDebugPrivilege	4812	fHf_i2PODuD9xeyuL2BBDDPc.exe
Token: SeDebugPrivilege	5928	WerFault.exe
Token: SeDebugPrivilege	2616	fHf_i2PODuD9xeyuL2BBDDPc.exe
Token: SeDebugPrivilege	4676	fHf_i2PODuD9xeyuL2BBDDPc.exe
Token: SeDebugPrivilege	5556	JXkvA1GuS8vogfe_2jXJjhDg.exe
Token: SeDebugPrivilege	4008	iabFHy2805TPsvM_ufKJiw9O.exe
Token: SeDebugPrivilege	3924	fHf_i2PODuD9xeyuL2BBDDPc.exe
Token: SeDebugPrivilege	5368	fHf_i2PODuD9xeyuL2BBDDPc.exe
Token: SeDebugPrivilege	6160	fHf_i2PODuD9xeyuL2BBDDPc.exe
Token: SeShutdownPrivilege	2180	Process not Found
Token: SeCreatePagefilePrivilege	2180	Process not Found
Token: SeDebugPrivilege	6468	WerFault.exe
Token: SeDebugPrivilege	6092	fHf_i2PODuD9xeyuL2BBDDPc.exe
Token: SeDebugPrivilege	6844	WerFault.exe
Token: SeDebugPrivilege	4776	WerFault.exe
Token: SeDebugPrivilege	6724	WerFault.exe
Token: SeDebugPrivilege	5224	fHf_i2PODuD9xeyuL2BBDDPc.exe
Token: SeDebugPrivilege	5932	fHf_i2PODuD9xeyuL2BBDDPc.exe
Token: SeDebugPrivilege	4172	fHf_i2PODuD9xeyuL2BBDDPc.exe
Token: SeDebugPrivilege	6972	_Fhlkg9cAaHNTzam8qia1dEX.exe
Token: SeDebugPrivilege	6328	fHf_i2PODuD9xeyuL2BBDDPc.exe
Token: SeDebugPrivilege	6640	uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
Token: SeDebugPrivilege	5712	uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
Token: SeDebugPrivilege	6984	fHf_i2PODuD9xeyuL2BBDDPc.exe
Token: SeDebugPrivilege	6668	fHf_i2PODuD9xeyuL2BBDDPc.exe
Token: SeDebugPrivilege	6028	fHf_i2PODuD9xeyuL2BBDDPc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2180	Process not Found
2180	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 2260	996	Setup (11).exe	78
PID 996 wrote to memory of 2260	996	Setup (11).exe	78
PID 996 wrote to memory of 2260	996	Setup (11).exe	78
PID 996 wrote to memory of 4008	996	Setup (11).exe	81
PID 996 wrote to memory of 4008	996	Setup (11).exe	81
PID 996 wrote to memory of 4008	996	Setup (11).exe	81
PID 996 wrote to memory of 2648	996	Setup (11).exe	80
PID 996 wrote to memory of 2648	996	Setup (11).exe	80
PID 996 wrote to memory of 2916	996	Setup (11).exe	79
PID 996 wrote to memory of 2916	996	Setup (11).exe	79
PID 996 wrote to memory of 2916	996	Setup (11).exe	79
PID 996 wrote to memory of 4072	996	Setup (11).exe	82
PID 996 wrote to memory of 4072	996	Setup (11).exe	82
PID 996 wrote to memory of 4072	996	Setup (11).exe	82
PID 996 wrote to memory of 2216	996	Setup (11).exe	83
PID 996 wrote to memory of 2216	996	Setup (11).exe	83
PID 996 wrote to memory of 2216	996	Setup (11).exe	83
PID 996 wrote to memory of 680	996	Setup (11).exe	86
PID 996 wrote to memory of 680	996	Setup (11).exe	86
PID 996 wrote to memory of 680	996	Setup (11).exe	86
PID 996 wrote to memory of 804	996	Setup (11).exe	87
PID 996 wrote to memory of 804	996	Setup (11).exe	87
PID 996 wrote to memory of 804	996	Setup (11).exe	87
PID 996 wrote to memory of 732	996	Setup (11).exe	88
PID 996 wrote to memory of 732	996	Setup (11).exe	88
PID 996 wrote to memory of 732	996	Setup (11).exe	88
PID 996 wrote to memory of 212	996	Setup (11).exe	90
PID 996 wrote to memory of 212	996	Setup (11).exe	90
PID 996 wrote to memory of 212	996	Setup (11).exe	90
PID 996 wrote to memory of 2336	996	Setup (11).exe	89
PID 996 wrote to memory of 2336	996	Setup (11).exe	89
PID 996 wrote to memory of 2336	996	Setup (11).exe	89
PID 996 wrote to memory of 3524	996	Setup (11).exe	92
PID 996 wrote to memory of 3524	996	Setup (11).exe	92
PID 996 wrote to memory of 3524	996	Setup (11).exe	92
PID 996 wrote to memory of 3616	996	Setup (11).exe	93
PID 996 wrote to memory of 3616	996	Setup (11).exe	93
PID 996 wrote to memory of 3616	996	Setup (11).exe	93
PID 996 wrote to memory of 3396	996	Setup (11).exe	108
PID 996 wrote to memory of 3396	996	Setup (11).exe	108
PID 996 wrote to memory of 3396	996	Setup (11).exe	108
PID 996 wrote to memory of 1620	996	Setup (11).exe	106
PID 996 wrote to memory of 1620	996	Setup (11).exe	106
PID 996 wrote to memory of 1620	996	Setup (11).exe	106
PID 996 wrote to memory of 2908	996	Setup (11).exe	105
PID 996 wrote to memory of 2908	996	Setup (11).exe	105
PID 996 wrote to memory of 2908	996	Setup (11).exe	105
PID 996 wrote to memory of 3652	996	Setup (11).exe	104
PID 996 wrote to memory of 3652	996	Setup (11).exe	104
PID 996 wrote to memory of 3652	996	Setup (11).exe	104
PID 996 wrote to memory of 3924	996	Setup (11).exe	129
PID 996 wrote to memory of 3924	996	Setup (11).exe	129
PID 996 wrote to memory of 3924	996	Setup (11).exe	129
PID 996 wrote to memory of 4104	996	Setup (11).exe	101
PID 996 wrote to memory of 4104	996	Setup (11).exe	101
PID 996 wrote to memory of 4104	996	Setup (11).exe	101
PID 996 wrote to memory of 4160	996	Setup (11).exe	99
PID 996 wrote to memory of 4160	996	Setup (11).exe	99
PID 996 wrote to memory of 4224	996	Setup (11).exe	97
PID 996 wrote to memory of 4224	996	Setup (11).exe	97
PID 996 wrote to memory of 4292	996	Setup (11).exe	96
PID 996 wrote to memory of 4292	996	Setup (11).exe	96
PID 996 wrote to memory of 4292	996	Setup (11).exe	96
PID 996 wrote to memory of 4460	996	Setup (11).exe	100

C:\Users\Admin\AppData\Local\Temp\Setup (11).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (11).exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:996
- C:\Users\Admin\Documents\AIMjWAKNK1A921pn1nOgIond.exe
  "C:\Users\Admin\Documents\AIMjWAKNK1A921pn1nOgIond.exe"
  2⤵
  - Executes dropped EXE
  PID:2260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 656
    3⤵
    - Program crash
    PID:5092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 672
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 728
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:5180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 640
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:5928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 896
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:6468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 876
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:4776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1200
    3⤵
    - Program crash
    PID:9588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1240
    3⤵
    - Program crash
    PID:12336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1236
    3⤵
    - Program crash
    PID:13056
- C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
  "C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2916
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    - Executes dropped EXE
    PID:4668
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    - Executes dropped EXE
    PID:4768
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    - Executes dropped EXE
    PID:4572
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    - Executes dropped EXE
    PID:3088
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    - Executes dropped EXE
    PID:4788
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    - Executes dropped EXE
    PID:5268
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    - Executes dropped EXE
    PID:5668
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    - Executes dropped EXE
    PID:5032
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    - Executes dropped EXE
    PID:156
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    - Executes dropped EXE
    PID:6008
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    - Executes dropped EXE
    PID:5436
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5712
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:5360
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:5500
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:6304
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:3296
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6640
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:5020
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:4120
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:4428
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:5572
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:3520
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:6956
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:4560
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:7000
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:5692
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:7320
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:7592
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:7876
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:6864
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:7756
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:7380
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:8152
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:8628
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:8980
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:7004
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:8656
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:4604
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:8648
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:8604
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:6408
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:8592
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:9572
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:9900
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:10152
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:9512
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:1304
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:8096
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:7680
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:1020
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:10008
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:7616
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:6940
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:9964
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:8404
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:9824
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:10508
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:10828
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:11132
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:10640
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:10828
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:9504
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:6404
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:11440
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:11760
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:12204
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:11636
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:12128
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:5060
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:5144
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:11804
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:12704
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:13208
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:12524
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:12496
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:3780
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:13396
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:13828
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:10732
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:13528
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:14272
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:10108
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:14312
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:14420
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:14832
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:15208
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:14476
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:15308
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:14876
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:15788
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:16228
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:15324
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:15864
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:13988
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:16984
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:13420
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:17348
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:17120
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:17860
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:18344
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:17504
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:17788
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:14620
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:18660
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:19152
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:2172
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:19388
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:18668
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:18980
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:1388
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:18020
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:14524
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:19512
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:20132
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:20060
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:20196
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:19900
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:20812
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:21428
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:20556
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:8820
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:21432
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:20992
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:20960
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:22196
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:10872
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:22152
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:21904
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:5776
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:20128
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:2728
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:23024
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:21912
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:23192
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:20752
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:20404
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:23236
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:22144
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:23668
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:24192
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:18204
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:23884
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:24492
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:24024
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:24460
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:23812
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:25016
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:25528
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:25184
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:24724
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:9732
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:24336
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:14472
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:24892
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:25604
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:26064
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:26600
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:18868
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:23476
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:25284
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:25844
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:26340
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:19480
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:26996
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:27436
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:26692
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:26964
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:13164
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:27444
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:28520
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:21664
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:20360
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:29036
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:29480
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:24408
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:29036
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:26836
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:26460
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:25024
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:29984
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:30500
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:29436
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:17700
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:27028
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:21264
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:27028
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:30988
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:31476
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:31452
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:31812
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:32504
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:32140
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:32116
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:32772
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:33340
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:30708
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:33732
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:33584
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:32652
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:15164
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:29724
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:33864
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:34960
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:35328
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:35816
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:34824
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:21596
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:35948
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:35352
- - C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    C:\Users\Admin\Documents\uDBVt9F9zPtqnWkZuZ3a0NFJ.exe
    3⤵
    PID:36548
- C:\Users\Admin\Documents\3CtDkkCx1LRNur2zVtzPtYvo.exe
  "C:\Users\Admin\Documents\3CtDkkCx1LRNur2zVtzPtYvo.exe"
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Users\Admin\Documents\iabFHy2805TPsvM_ufKJiw9O.exe
  "C:\Users\Admin\Documents\iabFHy2805TPsvM_ufKJiw9O.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:4008
- C:\Users\Admin\Documents\P2o7pIiCfsE8vlqW4nfD_9WM.exe
  "C:\Users\Admin\Documents\P2o7pIiCfsE8vlqW4nfD_9WM.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4072
- - C:\Program Files (x86)\Company\NewProduct\inst001.exe
    "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
    3⤵
    PID:5436
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    - Executes dropped EXE
    PID:5508
- - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
    3⤵
    - Executes dropped EXE
    PID:5468
- C:\Users\Admin\Documents\NLgV9PgUyRgWGd5kIpdOa1OI.exe
  "C:\Users\Admin\Documents\NLgV9PgUyRgWGd5kIpdOa1OI.exe"
  2⤵
  - Executes dropped EXE
  PID:2216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 1608
    3⤵
    - Program crash
    PID:11196
- C:\Users\Admin\Documents\ApzBxFQ3XMJfXZPnDEzJuN2I.exe
  "C:\Users\Admin\Documents\ApzBxFQ3XMJfXZPnDEzJuN2I.exe"
  2⤵
  - Executes dropped EXE
  PID:680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 384
    3⤵
    - Program crash
    PID:5616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 364
    3⤵
    - Program crash
    PID:6604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 424
    3⤵
    - Program crash
    PID:6428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 592
    3⤵
    - Program crash
    PID:6372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 660
    3⤵
    - Program crash
    PID:7904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 700
    3⤵
    - Program crash
    PID:8336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 780
    3⤵
    - Program crash
    PID:10956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 348
    3⤵
    - Program crash
    PID:10456
- C:\Users\Admin\Documents\povsSh0VJ7xNIj5l19R5UwNr.exe
  "C:\Users\Admin\Documents\povsSh0VJ7xNIj5l19R5UwNr.exe"
  2⤵
  - Executes dropped EXE
  PID:804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 660
    3⤵
    - Program crash
    PID:5556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 644
    3⤵
    - Program crash
    PID:6160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 660
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:6844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 684
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:6724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 892
    3⤵
    - Program crash
    PID:7668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 1232
    3⤵
    - Program crash
    PID:12544
- C:\Users\Admin\Documents\e4etLCQYKvo8Z5VhE0SKnCr3.exe
  "C:\Users\Admin\Documents\e4etLCQYKvo8Z5VhE0SKnCr3.exe"
  2⤵
  - Executes dropped EXE
  PID:732
- C:\Users\Admin\Documents\6w_dyaWqwuB5Yk309beVZ72K.exe
  "C:\Users\Admin\Documents\6w_dyaWqwuB5Yk309beVZ72K.exe"
  2⤵
  - Executes dropped EXE
  PID:2336
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VbsCrIPt: cLOSe( CREAteobjecT ("wScRiPT.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /C tYpe ""C:\Users\Admin\Documents\6w_dyaWqwuB5Yk309beVZ72K.exe"" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi & if """"== """" for %m in ( ""C:\Users\Admin\Documents\6w_dyaWqwuB5Yk309beVZ72K.exe"" ) do taskkill /iM ""%~NXm"" -F" ,0 , TRUE ))
    3⤵
    PID:5416
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C tYpe "C:\Users\Admin\Documents\6w_dyaWqwuB5Yk309beVZ72K.exe" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi& if ""== "" for %m in ("C:\Users\Admin\Documents\6w_dyaWqwuB5Yk309beVZ72K.exe" ) do taskkill /iM "%~NXm" -F
      4⤵
      PID:7724
    - - C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE
        
        IQ0v_FE_.ExE -poRsuYEMryiLi
        5⤵
        
        PID:5976
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCrIPt: cLOSe( CREAteobjecT ("wScRiPT.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /C tYpe ""C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE"" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi & if ""-poRsuYEMryiLi""== """" for %m in ( ""C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE"" ) do taskkill /iM ""%~NXm"" -F" ,0 , TRUE ))
        6⤵
        
        PID:13388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C tYpe "C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi& if "-poRsuYEMryiLi"== "" for %m in ("C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE" ) do taskkill /iM "%~NXm" -F
        7⤵
        
        PID:22220
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /iM "6w_dyaWqwuB5Yk309beVZ72K.exe" -F
        5⤵
        Kills process with taskkill
        
        PID:11528
- C:\Users\Admin\Documents\8ldLkP6tzyD56cfH67QxsmAR.exe
  "C:\Users\Admin\Documents\8ldLkP6tzyD56cfH67QxsmAR.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:212
- - C:\Users\Admin\Documents\8ldLkP6tzyD56cfH67QxsmAR.exe
    "C:\Users\Admin\Documents\8ldLkP6tzyD56cfH67QxsmAR.exe"
    3⤵
    PID:6696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6696 -s 1452
      4⤵
      Program crash
      PID:14240
- C:\Users\Admin\Documents\AOsLcG38aoNZmIiF1kbO6uNV.exe
  "C:\Users\Admin\Documents\AOsLcG38aoNZmIiF1kbO6uNV.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:3524
- C:\Users\Admin\Documents\JXkvA1GuS8vogfe_2jXJjhDg.exe
  "C:\Users\Admin\Documents\JXkvA1GuS8vogfe_2jXJjhDg.exe"
  2⤵
  - Executes dropped EXE
  PID:3616
- - C:\Users\Admin\Documents\JXkvA1GuS8vogfe_2jXJjhDg.exe
    "C:\Users\Admin\Documents\JXkvA1GuS8vogfe_2jXJjhDg.exe" -u
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5556
- C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
  "C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4292
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4812
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4676
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    - Executes dropped EXE
    PID:1200
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:3924
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5092
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5368
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    - Executes dropped EXE
    PID:5820
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:6092
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    - Executes dropped EXE
    PID:5432
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:5972
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:4696
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5932
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4172
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6328
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6668
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5224
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6984
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6028
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:6200
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:7008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 24
      4⤵
      Program crash
      PID:6456
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:4688
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:6856
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:6388
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:7076
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:4752
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:7296
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:7556
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:7860
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:8144
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:7540
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:7252
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:8016
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:8400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8400 -s 24
      4⤵
      Program crash
      PID:8812
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:8768
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:9100
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:8332
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:9044
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:8452
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6160
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:8860
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    - Executes dropped EXE
    PID:6112
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:9288
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:9680
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:9948
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:4340
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:9632
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:1980
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:8108
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:7536
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:4016
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:7968
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:7348
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:8264
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:9032
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:684
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:8060
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:10536
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:10840
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:11180
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:10684
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:4472
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:11260
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:9756
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:11596
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:11912
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:11448
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:8916
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:10660
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:10572
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:7644
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:12640
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:13128
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:12596
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:13308
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:12952
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:13184
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:13748
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:14248
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:13616
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:14104
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:7696
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:11640
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:4032
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:14728
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:15092
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:14492
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:12804
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:15132
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:15688
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:16144
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:15512
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:13216
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:15576
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:16872
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:17380
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:16944
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:13524
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:17896
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:18396
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:13620
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:17568
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:15472
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:18876
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:19368
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:18500
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:19144
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:18492
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:18540
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:19000
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:13452
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:16680
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:19608
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:20420
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:20336
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:19132
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:17780
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:20904
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:21440
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:20728
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:19948
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:20852
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:19176
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:21748
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:22520
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:22332
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:21424
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:1640
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:22400
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:9808
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:4656
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:22880
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:23224
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:20880
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:13352
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:6164
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:17548
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:13752
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:19616
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:23700
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:24220
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:22676
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:23976
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:22640
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:24328
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:17964
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:24892
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:25316
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:24708
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:25156
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:25256
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:23760
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:14780
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:21564
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:25728
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:26324
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:12624
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:26168
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:12508
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:26372
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:26376
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:18192
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:26896
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:27284
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:24552
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:4348
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:26740
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:24500
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:28600
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:28484
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:28436
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:29008
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:29520
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:28928
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:28772
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:29440
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:27044
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:30072
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:30660
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:24384
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:26904
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:29944
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:30184
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:30212
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:30936
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:31532
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:29700
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:31708
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:32408
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:4520
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:32124
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:32228
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:33068
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:33640
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:30056
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:32916
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:32844
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:31136
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:14840
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:32812
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:34532
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:35180
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:35372
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:35116
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:27344
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:31420
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:31436
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:36184
- - C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    C:\Users\Admin\Documents\fHf_i2PODuD9xeyuL2BBDDPc.exe
    3⤵
    PID:36688
- C:\Users\Admin\Documents\VUWCkS7rDYIGwlVO09yOi6y2.exe
  "C:\Users\Admin\Documents\VUWCkS7rDYIGwlVO09yOi6y2.exe"
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Users\Admin\Documents\fA_gAkCbziZJoI9Js71c5g3A.exe
  "C:\Users\Admin\Documents\fA_gAkCbziZJoI9Js71c5g3A.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- - C:\Users\Admin\AppData\Roaming\8467578.exe
    "C:\Users\Admin\AppData\Roaming\8467578.exe"
    3⤵
    PID:6376
- - C:\Users\Admin\AppData\Roaming\2919308.exe
    "C:\Users\Admin\AppData\Roaming\2919308.exe"
    3⤵
    PID:6428
- - C:\Users\Admin\AppData\Roaming\8075283.exe
    "C:\Users\Admin\AppData\Roaming\8075283.exe"
    3⤵
    PID:4468
- - C:\Users\Admin\AppData\Roaming\5231259.exe
    "C:\Users\Admin\AppData\Roaming\5231259.exe"
    3⤵
    PID:7976
  - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
      4⤵
      PID:13888
- - C:\Users\Admin\AppData\Roaming\1161831.exe
    "C:\Users\Admin\AppData\Roaming\1161831.exe"
    3⤵
    PID:6164
- C:\Users\Admin\Documents\ApnV2HSTGkKkv8dt3Hdbi255.exe
  "C:\Users\Admin\Documents\ApnV2HSTGkKkv8dt3Hdbi255.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\ApnV2HSTGkKkv8dt3Hdbi255.exe"
    3⤵
    PID:14780
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:15320
- C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
  "C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4104
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    - Executes dropped EXE
    PID:4724
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    - Executes dropped EXE
    PID:1640
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    - Executes dropped EXE
    PID:4708
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    - Executes dropped EXE
    PID:5644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5644 -s 24
      4⤵
      Program crash
      PID:6100
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    - Executes dropped EXE
    PID:5232
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    - Executes dropped EXE
    PID:4660
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    - Executes dropped EXE
    PID:5980
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    - Executes dropped EXE
    PID:4984
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    - Executes dropped EXE
    PID:5152
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:4216
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:4360
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:6448
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:5616
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:5924
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:6744
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:936
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:7016
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:6204
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:4208
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:6512
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:4796
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:6832
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:6512
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:6472
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:3548
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:7216
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:7480
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:7760
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:8124
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:4764
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 24
      4⤵
      Program crash
      PID:7456
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:7996
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:7668
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:8528
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:8884
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:9208
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:4588
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:9168
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:7624
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:6604
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:4992
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:4544
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:9464
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:9744
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:9988
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:4528
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:1088
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:3716
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:9236
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:1116
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:9956
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:2124
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:4036
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:8108
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:8168
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:6132
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:10484
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:10776
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:11056
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:10244
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:10988
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:4512
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:10500
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:3368
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:11652
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:12020
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:11468
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:11964
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:7864
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:2712
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:10188
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:12716
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:13220
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:12516
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:13284
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:11328
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:10792
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 10792 -s 24
      4⤵
      Program crash
      PID:13680
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:13672
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:14140
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:13520
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:14020
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:12216
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:13920
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:14316
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:14624
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:14996
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:14100
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:14808
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:9544
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:15492
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:15912
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:16356
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:11516
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:15364
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:16300
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:17124
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:17020
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:13904
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:17512
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:17988
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:17348
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:18040
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:18284
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:3240
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:18776
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:19260
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:7664
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:19316
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:4092
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:8576
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:2012
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:11380
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:12484
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:14256
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:20064
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:20008
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:20028
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:12176
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:20768
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:21300
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:19884
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:21464
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:20964
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:8572
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:10272
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:21728
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:21424
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:15768
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:22296
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:21592
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:20080
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:348
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:22732
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:23272
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:22936
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:23092
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:22680
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:21488
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:18800
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:23096
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:24004
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:18376
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:23664
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:23824
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:22432
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:22852
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:24480
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:24868
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:25408
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:24688
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:20272
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:12824
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:13980
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:24940
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:11528
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:26188
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:26588
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:25824
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:15856
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:26420
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:14472
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:15068
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:27152
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:26696
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:27624
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:12504
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:24984
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:27176
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:21376
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:26800
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:28532
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:26672
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:29336
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:27752
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:18456
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:20364
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:27908
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:29172
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:29916
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:30572
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:29728
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:30344
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:29684
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:28920
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:30376
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:31032
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:28184
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:30776
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:25300
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:32060
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:32440
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:14788
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:23312
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:29540
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:33216
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:33776
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:33408
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:28700
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:32540
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:32692
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:33276
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:30412
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:27712
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:35204
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:35532
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:31808
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:22328
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:35716
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:28952
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:36380
- - C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    C:\Users\Admin\Documents\SfBKixOqlVw_z2jGCLzD274s.exe
    3⤵
    PID:29044
- C:\Users\Admin\Documents\7sGilny894eo8DhLwjN6MRJa.exe
  "C:\Users\Admin\Documents\7sGilny894eo8DhLwjN6MRJa.exe"
  2⤵
  PID:3924
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3624
- C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
  "C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3652
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    - Executes dropped EXE
    PID:4744
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    - Executes dropped EXE
    PID:5052
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    - Executes dropped EXE
    PID:5200
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    - Executes dropped EXE
    PID:5696
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    - Executes dropped EXE
    PID:4596
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    - Executes dropped EXE
    PID:5008
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:6112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 24
      4⤵
      Program crash
      PID:5440
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    - Executes dropped EXE
    PID:5444
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:3888
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:6012
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:5824
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:3332
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:6360
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:6628
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:7060
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:6244
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:6788
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:7140
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:6532
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:5264
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:6692
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:2644
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:5808
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:7440
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:7728
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:8052
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:7576
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:7236
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:6208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6208 -s 24
      4⤵
      Program crash
      PID:8684
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:8648
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:9004
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:7032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 24
      4⤵
      Program crash
      PID:8568
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:8836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8836 -s 24
      4⤵
      Program crash
      PID:472
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:8412
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:8288
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:9132
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:9516
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:9880
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:10216
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:9536
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:1700
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:10064
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:6336
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:7376
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:10204
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:3912
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:9524
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:10144
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:9704
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:10396
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:10736
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:11008
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:10324
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:10804
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:11180
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:10332
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:10716
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:11616
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:12040
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:11012
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:12112
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:11536
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:12248
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:12360
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:12860
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:12332
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:12900
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:12832
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:13168
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:13548
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:14064
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:13428
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:13896
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:2512
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:11340
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:9424
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:14612
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:15024
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:10588
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:14708
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:15180
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:15612
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:16048
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:15536
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:16024
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:11368
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:16308
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:17212
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:17236
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:17336
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:17672
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:18196
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:17568
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:18108
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:18300
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:15020
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:19076
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:18492
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:18604
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:12448
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:11100
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:19180
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:10672
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:13508
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:19116
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:19760
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:14292
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:19812
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:15860
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:20824
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:21404
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:20548
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:3420
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:15176
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:18488
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:21668
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:22504
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:22068
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:11388
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:17340
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:16344
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:20876
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:21544
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:23048
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:16520
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:22616
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:8780
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:22920
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:21280
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:23144
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:23740
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:24280
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:21916
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:23316
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:24472
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:1640
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:20944
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:22624
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:24076
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:24952
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:22960
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:12532
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:24652
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:14088
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:16236
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:26232
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:14904
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:25968
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:23220
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:26140
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:24828
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:27060
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:26716
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:27484
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:25804
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:26328
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:26272
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:28512
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:27432
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:27920
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:28404
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:29308
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:28104
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:27888
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:19508
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:29104
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:20288
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:30052
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:30508
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:26476
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:30216
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:22904
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:29832
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:24684
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:31252
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:21336
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:31528
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:32180
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:32764
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:31656
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:32296
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:32940
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:33424
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:29004
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:33376
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:28444
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:32240
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:29892
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:32428
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:34484
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:35148
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:35380
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:34864
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:35632
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:30304
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:35236
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:35856
- - C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    C:\Users\Admin\Documents\GAx4AEPoG1A1sE0p9SKyWeQU.exe
    3⤵
    PID:36480
- C:\Users\Admin\Documents\294vzZ8KUJ_4DGm0cUbGyxML.exe
  "C:\Users\Admin\Documents\294vzZ8KUJ_4DGm0cUbGyxML.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2908
- - C:\Users\Admin\Documents\294vzZ8KUJ_4DGm0cUbGyxML.exe
    "C:\Users\Admin\Documents\294vzZ8KUJ_4DGm0cUbGyxML.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:4848
- C:\Users\Admin\Documents\_Fhlkg9cAaHNTzam8qia1dEX.exe
  "C:\Users\Admin\Documents\_Fhlkg9cAaHNTzam8qia1dEX.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1620
- - C:\Users\Admin\Documents\_Fhlkg9cAaHNTzam8qia1dEX.exe
    "C:\Users\Admin\Documents\_Fhlkg9cAaHNTzam8qia1dEX.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6972
- C:\Users\Admin\Documents\56bAPmRey7sUALJTj1iP067X.exe
  "C:\Users\Admin\Documents\56bAPmRey7sUALJTj1iP067X.exe"
  2⤵
  - Executes dropped EXE
  PID:3396
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\KBAvfsr.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KBAvfsr.exe"
    3⤵
    PID:5940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5940 -s 264
      4⤵
      Program crash
      PID:10088
- C:\Users\Admin\Documents\4vd434epvjVXw6tXqfH80Eoa.exe
  "C:\Users\Admin\Documents\4vd434epvjVXw6tXqfH80Eoa.exe"
  2⤵
  PID:8844
- - C:\Users\Admin\AppData\Local\Temp\is-F17AD.tmp\4vd434epvjVXw6tXqfH80Eoa.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-F17AD.tmp\4vd434epvjVXw6tXqfH80Eoa.tmp" /SL5="$20324,138429,56832,C:\Users\Admin\Documents\4vd434epvjVXw6tXqfH80Eoa.exe"
    3⤵
    PID:5312
  - - C:\Users\Admin\AppData\Local\Temp\is-1IVVT.tmp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-1IVVT.tmp\Setup.exe" /Verysilent
      4⤵
      PID:18048
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        5⤵
        
        PID:11580
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17652
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21064
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:1356
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21268
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17916
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:7536
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12660
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21556
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22248
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22032
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22508
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21596
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21600
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20140
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22068
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22896
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23456
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22888
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23244
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23080
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:18316
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19864
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23636
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24164
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14960
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23988
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24064
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23616
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23164
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21388
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25288
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23576
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25404
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:16904
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24856
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24160
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22988
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25752
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:26360
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17768
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:26468
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:9772
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:6552
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22636
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:26740
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27072
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27508
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24844
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24756
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27128
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27784
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24788
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12000
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17684
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:29348
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:28652
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:11372
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20108
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:29516
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21336
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:29784
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:30560
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:28788
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:30636
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27408
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27268
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:30648
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:31280
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:29264
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:30860
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:31844
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:32532
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:31860
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14560
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25696
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:33012
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:33544
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:28552
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15596
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22628
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:32804
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:32348
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:32824
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:34648
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:35540
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20536
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:31320
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:35688
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:35264
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:36304
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\PBrowFile15.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\PBrowFile15.exe"
        5⤵
        
        PID:6324
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe"
        5⤵
        
        PID:6396
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
        5⤵
        
        PID:19744
      - C:\Users\Admin\AppData\Local\Temp\is-QOEFI.tmp\stats.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-QOEFI.tmp\stats.tmp" /SL5="$2082E,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
        6⤵
        
        PID:20468
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\note866.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\note866.exe"
        5⤵
        
        PID:20144
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\LivelyScreenRecS3.0.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\LivelyScreenRecS3.0.exe"
        5⤵
        
        PID:19516
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe"
        5⤵
        
        PID:20108
      - C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe" -a
        6⤵
        
        PID:28876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 24
1⤵
- Program crash
PID:4788

C:\Users\Admin\AppData\Local\Temp\4E9C.exe
C:\Users\Admin\AppData\Local\Temp\4E9C.exe
1⤵
PID:18676

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:20036

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:20368

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:14532

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:19920

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:20392

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:19548

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:19400

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:14908

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:19876

C:\Users\Admin\AppData\Roaming\uwdsfig
C:\Users\Admin\AppData\Roaming\uwdsfig
1⤵
PID:30492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery