glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tDyGii9qXOyQHXlEJDwoTHqb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tDyGii9qXOyQHXlEJDwoTHqb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ExJnXBJuf7z9o42gRu50L0pe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ExJnXBJuf7z9o42gRu50L0pe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	k8yuNbQxqUeHJJJRt9otPBgE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	k8yuNbQxqUeHJJJRt9otPBgE.exe

Loads dropped DLL 2 IoCs

pid	Process
1020	r4_q6Dohc0OXEbQDRCYNsrDH.tmp
1020	r4_q6Dohc0OXEbQDRCYNsrDH.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral24/files/0x000200000002b1f6-166.dat	themida
behavioral24/files/0x000200000002b1e7-182.dat	themida
behavioral24/files/0x000200000002b1f3-199.dat	themida
behavioral24/files/0x000200000002b1f3-239.dat	themida
behavioral24/files/0x000200000002b1f6-225.dat	themida
behavioral24/files/0x000200000002b1e7-231.dat	themida
behavioral24/memory/5060-301-0x0000000000330000-0x0000000000331000-memory.dmp	themida
behavioral24/memory/3636-312-0x0000000000870000-0x0000000000871000-memory.dmp	themida
behavioral24/memory/4440-299-0x0000000000AA0000-0x0000000000AA1000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ExJnXBJuf7z9o42gRu50L0pe.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	k8yuNbQxqUeHJJJRt9otPBgE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tDyGii9qXOyQHXlEJDwoTHqb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 12 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com
58	ipinfo.io
122	ipinfo.io
134	ipinfo.io
218	ipinfo.io
277	ipinfo.io
706	ipinfo.io
13	ipinfo.io
95	ipinfo.io
464	ipinfo.io
755	ipinfo.io
760	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4440	ExJnXBJuf7z9o42gRu50L0pe.exe
5060	tDyGii9qXOyQHXlEJDwoTHqb.exe
3636	k8yuNbQxqUeHJJJRt9otPBgE.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 572 set thread context of 3992	572	TFa4xZw4mEcxH9fJ039xf5fV.exe	122
PID 1700 set thread context of 1172	1700	ocXEsiG6Uy00PKLTrBgYlsRD.exe	192
PID 4668 set thread context of 4116	4668	Vgfum4aTymephCoeVTIlZfaD.exe	140
PID 4812 set thread context of 5364	4812	Y8CRCCRcFEZqKYDfW9u6j4UT.exe	147

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	ayRcwoFR7y59yFlh8l90qUNL.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	ayRcwoFR7y59yFlh8l90qUNL.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst001.exe	Erm2BszJ9GeJwFKmgwNCV5rd.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	Erm2BszJ9GeJwFKmgwNCV5rd.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	Erm2BszJ9GeJwFKmgwNCV5rd.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	Erm2BszJ9GeJwFKmgwNCV5rd.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	Erm2BszJ9GeJwFKmgwNCV5rd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 28 IoCs

pid	pid_target	Process	procid_target
404	4896	WerFault.exe	88
3748	4904	WerFault.exe	92
3444	2164	WerFault.exe	100
5856	1172	WerFault.exe	154
5948	1900	WerFault.exe	108
2676	3048	WerFault.exe	182
6768	4068	WerFault.exe	199
6796	4068	WerFault.exe	199
6176	1180	WerFault.exe	206
6920	7160	WerFault.exe	239
3972	4176	WerFault.exe	247
7240	5736	WerFault.exe	157
7036	3600	WerFault.exe	170
560	3600	WerFault.exe	170
8224	4284	WerFault.exe	316
7912	4284	WerFault.exe	316
5856	6916	WerFault.exe	251
7460	8480	WerFault.exe	343
3824	1176	WerFault.exe	138
8956	5328	WerFault.exe	354
9652	3940	WerFault.exe	402
9596	4360	WerFault.exe	373
11028	2836	WerFault.exe	404
11168	5456	WerFault.exe	375
14784	11864	WerFault.exe	510
5064	11616	WerFault.exe	577
15064	11616	WerFault.exe	577
14996	11864	WerFault.exe	510

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	TFa4xZw4mEcxH9fJ039xf5fV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	TFa4xZw4mEcxH9fJ039xf5fV.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	TFa4xZw4mEcxH9fJ039xf5fV.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
3980	schtasks.exe
5152	schtasks.exe
10500	schtasks.exe
10092	schtasks.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
5516	timeout.exe
6792	timeout.exe
9168	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4308	taskkill.exe
792	taskkill.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
11044	PING.EXE

Script User-Agent 7 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	810	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1390	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	129	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	142	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	208	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	391	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	737	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
5076	Setup (30).exe
5076	Setup (30).exe
3992	TFa4xZw4mEcxH9fJ039xf5fV.exe
3992	TFa4xZw4mEcxH9fJ039xf5fV.exe
3748	WerFault.exe
3748	WerFault.exe
404	WerFault.exe
404	WerFault.exe
3444	WerFault.exe
3444	WerFault.exe
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found
3100	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3992	TFa4xZw4mEcxH9fJ039xf5fV.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1776	k_iudhzMsahZ07PupFLOIYCD.exe
Token: SeRestorePrivilege	3748	WerFault.exe
Token: SeBackupPrivilege	3748	WerFault.exe
Token: SeRestorePrivilege	404	WerFault.exe
Token: SeBackupPrivilege	404	WerFault.exe
Token: SeDebugPrivilege	4780	flU5F_dQqxfF0Ni8QAnd3XVh.exe
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found
Token: SeShutdownPrivilege	3100	Process not Found
Token: SeCreatePagefilePrivilege	3100	Process not Found

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1020	Vgfum4aTymephCoeVTIlZfaD.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 4668	5076	Setup (30).exe	93
PID 5076 wrote to memory of 4668	5076	Setup (30).exe	93
PID 5076 wrote to memory of 4668	5076	Setup (30).exe	93
PID 5076 wrote to memory of 4904	5076	Setup (30).exe	92
PID 5076 wrote to memory of 4904	5076	Setup (30).exe	92
PID 5076 wrote to memory of 4904	5076	Setup (30).exe	92
PID 5076 wrote to memory of 4056	5076	Setup (30).exe	90
PID 5076 wrote to memory of 4056	5076	Setup (30).exe	90
PID 5076 wrote to memory of 4056	5076	Setup (30).exe	90
PID 5076 wrote to memory of 3480	5076	Setup (30).exe	91
PID 5076 wrote to memory of 3480	5076	Setup (30).exe	91
PID 5076 wrote to memory of 3480	5076	Setup (30).exe	91
PID 5076 wrote to memory of 3636	5076	Setup (30).exe	89
PID 5076 wrote to memory of 3636	5076	Setup (30).exe	89
PID 5076 wrote to memory of 3636	5076	Setup (30).exe	89
PID 5076 wrote to memory of 4896	5076	Setup (30).exe	88
PID 5076 wrote to memory of 4896	5076	Setup (30).exe	88
PID 5076 wrote to memory of 4896	5076	Setup (30).exe	88
PID 5076 wrote to memory of 5064	5076	Setup (30).exe	101
PID 5076 wrote to memory of 5064	5076	Setup (30).exe	101
PID 5076 wrote to memory of 5064	5076	Setup (30).exe	101
PID 5076 wrote to memory of 2164	5076	Setup (30).exe	100
PID 5076 wrote to memory of 2164	5076	Setup (30).exe	100
PID 5076 wrote to memory of 2164	5076	Setup (30).exe	100
PID 5076 wrote to memory of 4812	5076	Setup (30).exe	99
PID 5076 wrote to memory of 4812	5076	Setup (30).exe	99
PID 5076 wrote to memory of 4812	5076	Setup (30).exe	99
PID 5076 wrote to memory of 572	5076	Setup (30).exe	96
PID 5076 wrote to memory of 572	5076	Setup (30).exe	96
PID 5076 wrote to memory of 572	5076	Setup (30).exe	96
PID 5076 wrote to memory of 2776	5076	Setup (30).exe	97
PID 5076 wrote to memory of 2776	5076	Setup (30).exe	97
PID 5076 wrote to memory of 2776	5076	Setup (30).exe	97
PID 5076 wrote to memory of 4440	5076	Setup (30).exe	98
PID 5076 wrote to memory of 4440	5076	Setup (30).exe	98
PID 5076 wrote to memory of 4440	5076	Setup (30).exe	98
PID 5076 wrote to memory of 1700	5076	Setup (30).exe	110
PID 5076 wrote to memory of 1700	5076	Setup (30).exe	110
PID 5076 wrote to memory of 1700	5076	Setup (30).exe	110
PID 5076 wrote to memory of 1776	5076	Setup (30).exe	109
PID 5076 wrote to memory of 1776	5076	Setup (30).exe	109
PID 5076 wrote to memory of 1900	5076	Setup (30).exe	108
PID 5076 wrote to memory of 1900	5076	Setup (30).exe	108
PID 5076 wrote to memory of 1900	5076	Setup (30).exe	108
PID 5076 wrote to memory of 1948	5076	Setup (30).exe	107
PID 5076 wrote to memory of 1948	5076	Setup (30).exe	107
PID 5076 wrote to memory of 2052	5076	Setup (30).exe	106
PID 5076 wrote to memory of 2052	5076	Setup (30).exe	106
PID 5076 wrote to memory of 2052	5076	Setup (30).exe	106
PID 5076 wrote to memory of 2096	5076	Setup (30).exe	105
PID 5076 wrote to memory of 2096	5076	Setup (30).exe	105
PID 5076 wrote to memory of 2096	5076	Setup (30).exe	105
PID 5076 wrote to memory of 5060	5076	Setup (30).exe	102
PID 5076 wrote to memory of 5060	5076	Setup (30).exe	102
PID 5076 wrote to memory of 5060	5076	Setup (30).exe	102
PID 5076 wrote to memory of 3528	5076	Setup (30).exe	115
PID 5076 wrote to memory of 3528	5076	Setup (30).exe	115
PID 5076 wrote to memory of 3528	5076	Setup (30).exe	115
PID 5076 wrote to memory of 916	5076	Setup (30).exe	114
PID 5076 wrote to memory of 916	5076	Setup (30).exe	114
PID 5076 wrote to memory of 916	5076	Setup (30).exe	114
PID 5076 wrote to memory of 556	5076	Setup (30).exe	113
PID 5076 wrote to memory of 556	5076	Setup (30).exe	113
PID 5076 wrote to memory of 556	5076	Setup (30).exe	113

C:\Users\Admin\AppData\Local\Temp\Setup (30).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (30).exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Users\Admin\Documents\dUXyeReacKPcaGvDU1HOVbtU.exe
  "C:\Users\Admin\Documents\dUXyeReacKPcaGvDU1HOVbtU.exe"
  2⤵
  - Executes dropped EXE
  PID:4896
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 276
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:404
- C:\Users\Admin\Documents\k8yuNbQxqUeHJJJRt9otPBgE.exe
  "C:\Users\Admin\Documents\k8yuNbQxqUeHJJJRt9otPBgE.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3636
- C:\Users\Admin\Documents\ayRcwoFR7y59yFlh8l90qUNL.exe
  "C:\Users\Admin\Documents\ayRcwoFR7y59yFlh8l90qUNL.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4056
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3980
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5152
- C:\Users\Admin\Documents\Rcr30u51AuRP3Wj_dRi5iZop.exe
  "C:\Users\Admin\Documents\Rcr30u51AuRP3Wj_dRi5iZop.exe"
  2⤵
  - Executes dropped EXE
  PID:3480
- - C:\Users\Admin\Documents\Rcr30u51AuRP3Wj_dRi5iZop.exe
    "C:\Users\Admin\Documents\Rcr30u51AuRP3Wj_dRi5iZop.exe"
    3⤵
    PID:4804
- C:\Users\Admin\Documents\67qwMNVozZhd105NbooLHhlN.exe
  "C:\Users\Admin\Documents\67qwMNVozZhd105NbooLHhlN.exe"
  2⤵
  - Executes dropped EXE
  PID:4904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 272
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3748
- C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
  "C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4668
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    - Executes dropped EXE
    PID:4208
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    - Executes dropped EXE
    PID:4116
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:5680
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:5452
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:6100
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:6044
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:5940
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:228
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:5284
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:4468
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:6752
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:3460
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:7160
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 28
      4⤵
      Program crash
      PID:6920
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:6264
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:4080
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:6760
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:7052
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:5284
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:7556
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:3012
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:7472
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:7760
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:1388
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:1020
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:7952
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:8388
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:8612
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:7276
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:2544
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:5328
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 28
      4⤵
      Program crash
      PID:8956
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:1552
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:7100
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:3280
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:9252
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:10184
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:9376
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:9024
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:10560
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:5240
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:7916
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:11896
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:9032
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:12524
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:11052
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:2788
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:13920
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:15068
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:6288
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:2220
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:13128
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:5484
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:10720
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:1956
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:11516
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:16328
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:17268
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:11428
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:17112
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:16216
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:12456
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:9232
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:18404
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:5140
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:17940
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:14404
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:5300
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:18248
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:15528
- - C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    C:\Users\Admin\Documents\Vgfum4aTymephCoeVTIlZfaD.exe
    3⤵
    PID:20028
- C:\Users\Admin\Documents\TFa4xZw4mEcxH9fJ039xf5fV.exe
  "C:\Users\Admin\Documents\TFa4xZw4mEcxH9fJ039xf5fV.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:572
- - C:\Users\Admin\Documents\TFa4xZw4mEcxH9fJ039xf5fV.exe
    "C:\Users\Admin\Documents\TFa4xZw4mEcxH9fJ039xf5fV.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:3992
- C:\Users\Admin\Documents\Erm2BszJ9GeJwFKmgwNCV5rd.exe
  "C:\Users\Admin\Documents\Erm2BszJ9GeJwFKmgwNCV5rd.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2776
- - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
    3⤵
    - Executes dropped EXE
    PID:4900
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    - Executes dropped EXE
    PID:2204
- - C:\Program Files (x86)\Company\NewProduct\inst001.exe
    "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
    3⤵
    - Executes dropped EXE
    PID:1316
- C:\Users\Admin\Documents\ExJnXBJuf7z9o42gRu50L0pe.exe
  "C:\Users\Admin\Documents\ExJnXBJuf7z9o42gRu50L0pe.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4440
- C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
  "C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4812
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    - Executes dropped EXE
    PID:1936
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:5364
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:5988
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:5756
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:4164
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:1572
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    - Executes dropped EXE
    PID:1172
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:3128
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:3684
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:6500
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:5372
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:6984
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:1484
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:6824
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:4848
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:3140
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:7772
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:6872
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:8004
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:2004
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:7352
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:7872
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:8196
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:8480
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8480 -s 28
      4⤵
      Program crash
      PID:7460
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:7864
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:7616
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:2384
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:9128
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:9596
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:1648
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:1996
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:10052
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:6608
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:11176
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:10860
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:8904
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:1316
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:3976
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:2268
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:4160
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:11332
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:10608
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:11684
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:12248
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:11296
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:13032
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:12692
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:6700
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:9984
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:13988
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:15324
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:1656
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:13124
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:14488
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:12588
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:14616
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:16928
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:9988
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:14980
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:17808
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:10836
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:17384
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:17444
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:14100
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:17344
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:19248
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:7340
- - C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    C:\Users\Admin\Documents\Y8CRCCRcFEZqKYDfW9u6j4UT.exe
    3⤵
    PID:18960
- C:\Users\Admin\Documents\50HF8DFT_Aawssn3W3sPl3x2.exe
  "C:\Users\Admin\Documents\50HF8DFT_Aawssn3W3sPl3x2.exe"
  2⤵
  - Executes dropped EXE
  PID:2164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 280
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3444
- C:\Users\Admin\Documents\ivmnwS1s6eAWPp_8fthpj0W7.exe
  "C:\Users\Admin\Documents\ivmnwS1s6eAWPp_8fthpj0W7.exe"
  2⤵
  - Executes dropped EXE
  PID:5064
- - C:\Users\Admin\Documents\ivmnwS1s6eAWPp_8fthpj0W7.exe
    "C:\Users\Admin\Documents\ivmnwS1s6eAWPp_8fthpj0W7.exe"
    3⤵
    PID:6916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6916 -s 1920
      4⤵
      Program crash
      PID:5856
- C:\Users\Admin\Documents\tDyGii9qXOyQHXlEJDwoTHqb.exe
  "C:\Users\Admin\Documents\tDyGii9qXOyQHXlEJDwoTHqb.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:5060
- C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
  "C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe"
  2⤵
  - Executes dropped EXE
  PID:2096
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:1432
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:5532
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:2492
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    - Suspicious use of NtCreateProcessExOtherParentProcess
    PID:5720
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:3048
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 28
      4⤵
      Program crash
      PID:2676
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:5624
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:5104
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:2052
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:6252
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:7000
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:6528
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:2408
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:6256
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:6968
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:7088
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:5424
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:8052
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:7604
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:5404
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:5916
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:960
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:7232
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:8336
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:8832
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:3224
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:1040
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:7664
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:5032
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:9656
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:9276
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:9460
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:10352
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:10420
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:7620
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:6024
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:10572
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:6448
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:9136
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:10388
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:11484
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:8060
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:11788
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:5528
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:6420
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:9012
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:4660
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:14704
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:12080
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:15208
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:11528
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:8800
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:16044
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:16596
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:10164
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:17008
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:16464
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:8440
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:13372
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:17744
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:18192
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:14668
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:18356
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:18748
- - C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    C:\Users\Admin\Documents\kbm8FrOgRa2pr0qqqr2FmX5s.exe
    3⤵
    PID:21156
- C:\Users\Admin\Documents\yoYXlKB42DbrbTFLXOO7pZPG.exe
  "C:\Users\Admin\Documents\yoYXlKB42DbrbTFLXOO7pZPG.exe"
  2⤵
  - Executes dropped EXE
  PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\yoYXlKB42DbrbTFLXOO7pZPG.exe"
    3⤵
    PID:4624
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:5516
- C:\Users\Admin\Documents\rFid8eqxh2_6ncXgHoRuQbp3.exe
  "C:\Users\Admin\Documents\rFid8eqxh2_6ncXgHoRuQbp3.exe"
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Users\Admin\Documents\wFklKWIurcETuJI7h7Q_AnSY.exe
  "C:\Users\Admin\Documents\wFklKWIurcETuJI7h7Q_AnSY.exe"
  2⤵
  - Executes dropped EXE
  PID:1900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 240
    3⤵
    - Program crash
    PID:5948
- C:\Users\Admin\Documents\k_iudhzMsahZ07PupFLOIYCD.exe
  "C:\Users\Admin\Documents\k_iudhzMsahZ07PupFLOIYCD.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
  "C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1700
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:5600
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:1172
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 28
      4⤵
      Program crash
      PID:5856
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:5328
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:5844
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:5012
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:3528
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:2332
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:2148
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:6412
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:1260
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:3576
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:4176
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 28
      4⤵
      Program crash
      PID:3972
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:3400
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:7016
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:7292
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:7728
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:7192
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:6304
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:8184
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:8672
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:7964
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:3956
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:9076
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:9488
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:9124
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:3248
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:8392
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:10312
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:8628
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:9944
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:11680
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:11876
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:13252
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:10372
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:13864
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:15048
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:6496
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:11076
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:11372
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:14540
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:10676
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:16048
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:10340
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:13204
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:14872
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:9688
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:17168
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:11744
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:11040
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:19612
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:19552
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:15216
- - C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    C:\Users\Admin\Documents\ocXEsiG6Uy00PKLTrBgYlsRD.exe
    3⤵
    PID:20144
- C:\Users\Admin\Documents\EwrnAR12s7124MuWC9HvJtC7.exe
  "C:\Users\Admin\Documents\EwrnAR12s7124MuWC9HvJtC7.exe"
  2⤵
  - Executes dropped EXE
  PID:556
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\KBAvfsr.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KBAvfsr.exe"
    3⤵
    - Executes dropped EXE
    PID:1176
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 280
      4⤵
      Program crash
      PID:3824
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\FkDS8ej.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FkDS8ej.exe"
    3⤵
    PID:9860
- C:\Users\Admin\Documents\jJYTRq_a0Uw6sPcrZPyVBrkK.exe
  "C:\Users\Admin\Documents\jJYTRq_a0Uw6sPcrZPyVBrkK.exe"
  2⤵
  - Executes dropped EXE
  PID:916
- - C:\Users\Admin\Documents\jJYTRq_a0Uw6sPcrZPyVBrkK.exe
    "C:\Users\Admin\Documents\jJYTRq_a0Uw6sPcrZPyVBrkK.exe" -u
    3⤵
    - Executes dropped EXE
    PID:5184
- C:\Users\Admin\Documents\P1JimHu82POwTYdQ1oRmeYHT.exe
  "C:\Users\Admin\Documents\P1JimHu82POwTYdQ1oRmeYHT.exe"
  2⤵
  - Executes dropped EXE
  PID:3528
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VbsCrIPt: cLOSe( CREAteobjecT ("wScRiPT.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /C tYpe ""C:\Users\Admin\Documents\P1JimHu82POwTYdQ1oRmeYHT.exe"" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi & if """"== """" for %m in ( ""C:\Users\Admin\Documents\P1JimHu82POwTYdQ1oRmeYHT.exe"" ) do taskkill /iM ""%~NXm"" -F" ,0 , TRUE ))
    3⤵
    PID:2528
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C tYpe "C:\Users\Admin\Documents\P1JimHu82POwTYdQ1oRmeYHT.exe" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi& if ""== "" for %m in ("C:\Users\Admin\Documents\P1JimHu82POwTYdQ1oRmeYHT.exe" ) do taskkill /iM "%~NXm" -F
      4⤵
      PID:3908
    - - C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE
        
        IQ0v_FE_.ExE -poRsuYEMryiLi
        5⤵
        
        PID:5876
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCrIPt: cLOSe( CREAteobjecT ("wScRiPT.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /C tYpe ""C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE"" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi & if ""-poRsuYEMryiLi""== """" for %m in ( ""C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE"" ) do taskkill /iM ""%~NXm"" -F" ,0 , TRUE ))
        6⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C tYpe "C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi& if "-poRsuYEMryiLi"== "" for %m in ("C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE" ) do taskkill /iM "%~NXm" -F
        7⤵
        
        PID:5220
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" VHTDDahA.G,XBvVyh
        6⤵
        
        PID:6468
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /iM "P1JimHu82POwTYdQ1oRmeYHT.exe" -F
        5⤵
        Kills process with taskkill
        
        PID:4308
- C:\Users\Admin\Documents\flU5F_dQqxfF0Ni8QAnd3XVh.exe
  "C:\Users\Admin\Documents\flU5F_dQqxfF0Ni8QAnd3XVh.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- - C:\Users\Admin\AppData\Roaming\7090392.exe
    "C:\Users\Admin\AppData\Roaming\7090392.exe"
    3⤵
    - Executes dropped EXE
    PID:5736
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 5736 -s 2336
      4⤵
      Program crash
      PID:7240
- - C:\Users\Admin\AppData\Roaming\8626080.exe
    "C:\Users\Admin\AppData\Roaming\8626080.exe"
    3⤵
    - Executes dropped EXE
    PID:5828
  - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
      4⤵
      PID:1036
- - C:\Users\Admin\AppData\Roaming\6759255.exe
    "C:\Users\Admin\AppData\Roaming\6759255.exe"
    3⤵
    PID:5928
- - C:\Users\Admin\AppData\Roaming\2021990.exe
    "C:\Users\Admin\AppData\Roaming\2021990.exe"
    3⤵
    PID:6072
- - C:\Users\Admin\AppData\Roaming\6593687.exe
    "C:\Users\Admin\AppData\Roaming\6593687.exe"
    3⤵
    PID:3600
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 2468
      4⤵
      Program crash
      PID:7036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 2468
      4⤵
      Program crash
      PID:560
- C:\Users\Admin\Documents\r4_q6Dohc0OXEbQDRCYNsrDH.exe
  "C:\Users\Admin\Documents\r4_q6Dohc0OXEbQDRCYNsrDH.exe"
  2⤵
  - Executes dropped EXE
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\is-UUPK1.tmp\r4_q6Dohc0OXEbQDRCYNsrDH.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-UUPK1.tmp\r4_q6Dohc0OXEbQDRCYNsrDH.tmp" /SL5="$102D0,138429,56832,C:\Users\Admin\Documents\r4_q6Dohc0OXEbQDRCYNsrDH.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1020
  - - C:\Users\Admin\AppData\Local\Temp\is-AA7VG.tmp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-AA7VG.tmp\Setup.exe" /Verysilent
      4⤵
      PID:3552
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        5⤵
        
        PID:1068
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:1372
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:6704
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:1444
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:7876
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:7464
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:5920
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:7240
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:9064
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:8092
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:5292
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:9128
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:8896
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:2284
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:588
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:8588
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:660
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:10060
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:10960
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:10880
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:2932
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:8924
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:11204
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:10496
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:11700
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:1180
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12800
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12080
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:13504
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14304
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12732
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14712
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:13996
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:3180
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:1104
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15148
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:16072
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15908
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17044
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:8404
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:3904
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:16276
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17000
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12668
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:14844
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15964
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12848
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:18768
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20276
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19184
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15108
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe"
        5⤵
        
        PID:6612
      - C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe" -a
        6⤵
        
        PID:4676
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\LivelyScreenRecS3.0.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\LivelyScreenRecS3.0.exe"
        5⤵
        
        PID:4468
      - C:\Users\Admin\AppData\Local\Temp\tmp1019_tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1019_tmp.exe"
        6⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\dllhost.exe
        
        dllhost.exe
        7⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Pei.xll
        7⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        8⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^HlGEvpOWJOEhLjtMCMDsxiaRDGubGurupaMHjGXUgfrcGybsXUFbdIsmSOwQrdfCLnrzmbAVPJrtrXlnpOAMBGPBqjObFuRXZBJowtRmxKIHEjcVEDHgPDwyIBahIedISyy$" Passa.xll
        9⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost
        9⤵
        Runs ping.exe
        
        PID:11044
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com
        
        Tra.exe.com o
        9⤵
        
        PID:10788
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com o
        10⤵
        
        PID:9712
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com o
        11⤵
        
        PID:9096
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\note866.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\note866.exe"
        5⤵
        
        PID:3060
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\PBrowFile15.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\PBrowFile15.exe"
        5⤵
        
        PID:1272
      - C:\Users\Admin\AppData\Roaming\7028753.exe
        
        "C:\Users\Admin\AppData\Roaming\7028753.exe"
        6⤵
        
        PID:8048
      - C:\Users\Admin\AppData\Roaming\1029792.exe
        
        "C:\Users\Admin\AppData\Roaming\1029792.exe"
        6⤵
        
        PID:7844
      - C:\Users\Admin\AppData\Roaming\7806709.exe
        
        "C:\Users\Admin\AppData\Roaming\7806709.exe"
        6⤵
        
        PID:7780
      - C:\Users\Admin\AppData\Roaming\7276330.exe
        
        "C:\Users\Admin\AppData\Roaming\7276330.exe"
        6⤵
        
        PID:2944
      - C:\Users\Admin\AppData\Roaming\8672240.exe
        
        "C:\Users\Admin\AppData\Roaming\8672240.exe"
        6⤵
        
        PID:4592
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe"
        5⤵
        
        PID:6456
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe"
        6⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        7⤵
        Delays execution with timeout.exe
        
        PID:6792
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
        5⤵
        
        PID:6816

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv s9ow2ZnxgkmeCPE2P2qAzQ.0.2
1⤵
- Modifies data under HKEY_USERS
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4904 -ip 4904
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4896 -ip 4896
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2164 -ip 2164
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
PID:1432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1172 -ip 1172
1⤵
PID:5636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1900 -ip 1900
1⤵
PID:5720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3048 -ip 3048
1⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5940 -ip 5940
1⤵
PID:5152

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2872
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:4068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 452
    3⤵
    - Program crash
    PID:6768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 452
    3⤵
    - Program crash
    PID:6796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4068 -ip 4068
1⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\89C2.exe
C:\Users\Admin\AppData\Local\Temp\89C2.exe
1⤵
PID:1180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 280
  2⤵
  - Program crash
  PID:6176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5284 -ip 5284
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1180 -ip 1180
1⤵
PID:6880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 7160 -ip 7160
1⤵
PID:6760

C:\Users\Admin\AppData\Local\Temp\is-LPCDC.tmp\stats.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LPCDC.tmp\stats.tmp" /SL5="$20388,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
1⤵
PID:3932
- C:\Users\Admin\AppData\Local\Temp\is-E99C0.tmp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\is-E99C0.tmp\Setup.exe" /Verysilent
  2⤵
  PID:8356
- - C:\Users\Admin\Documents\M43yt7yvORZpSgENeHeN5f8u.exe
    "C:\Users\Admin\Documents\M43yt7yvORZpSgENeHeN5f8u.exe"
    3⤵
    PID:4360
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 272
      4⤵
      Program crash
      PID:9596
- - C:\Users\Admin\Documents\Xzwnc3Mh7lZd4AbE2llMLvEn.exe
    "C:\Users\Admin\Documents\Xzwnc3Mh7lZd4AbE2llMLvEn.exe"
    3⤵
    PID:5456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 240
      4⤵
      Program crash
      PID:11168
- - C:\Users\Admin\Documents\fJ9mKVhCgbcLPKjf76Ve9Xws.exe
    "C:\Users\Admin\Documents\fJ9mKVhCgbcLPKjf76Ve9Xws.exe"
    3⤵
    PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\KBAvfsr.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\KBAvfsr.exe"
      4⤵
      PID:3076
- - C:\Users\Admin\Documents\aWRXR373AL0FYKn1wRKUi3ih.exe
    "C:\Users\Admin\Documents\aWRXR373AL0FYKn1wRKUi3ih.exe"
    3⤵
    PID:5132
  - - C:\Users\Admin\Documents\aWRXR373AL0FYKn1wRKUi3ih.exe
      "C:\Users\Admin\Documents\aWRXR373AL0FYKn1wRKUi3ih.exe"
      4⤵
      PID:11864
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11864 -s 1612
        5⤵
        Program crash
        
        PID:14784
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11864 -s 1612
        5⤵
        Program crash
        
        PID:14996
- - C:\Users\Admin\Documents\epkzjELMSZM9mkm8kRBhQeYK.exe
    "C:\Users\Admin\Documents\epkzjELMSZM9mkm8kRBhQeYK.exe"
    3⤵
    PID:5464
- - C:\Users\Admin\Documents\XKpodsWYveUcNoDT40WrYt9b.exe
    "C:\Users\Admin\Documents\XKpodsWYveUcNoDT40WrYt9b.exe"
    3⤵
    PID:5492
- - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
    "C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe"
    3⤵
    PID:1192
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:8408
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:8604
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:2408
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:11964
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:8624
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:8712
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:10368
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:13588
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:13384
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:8460
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:10108
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:14868
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:14208
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:12856
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:6500
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:12280
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:10248
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:17032
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:16460
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:12236
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:17244
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:18000
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:11584
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:17516
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:18912
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:15480
  - - C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      C:\Users\Admin\Documents\qwCLRk3o6Udm9kYuAONApmiP.exe
      4⤵
      PID:21008
- - C:\Users\Admin\Documents\EecAGSJZjXgUns4uNZiIlzzv.exe
    "C:\Users\Admin\Documents\EecAGSJZjXgUns4uNZiIlzzv.exe"
    3⤵
    PID:4476
  - - C:\Users\Admin\Documents\EecAGSJZjXgUns4uNZiIlzzv.exe
      "C:\Users\Admin\Documents\EecAGSJZjXgUns4uNZiIlzzv.exe" -u
      4⤵
      PID:11080
- - C:\Users\Admin\Documents\3nNq_5268hE41cwCkeVFzvtE.exe
    "C:\Users\Admin\Documents\3nNq_5268hE41cwCkeVFzvtE.exe"
    3⤵
    PID:3552
  - - C:\Users\Admin\Documents\3nNq_5268hE41cwCkeVFzvtE.exe
      "C:\Users\Admin\Documents\3nNq_5268hE41cwCkeVFzvtE.exe"
      4⤵
      PID:9816
- - C:\Users\Admin\Documents\we_zk9INNBtZxaSE5wHGLH0M.exe
    "C:\Users\Admin\Documents\we_zk9INNBtZxaSE5wHGLH0M.exe"
    3⤵
    PID:6644
- - C:\Users\Admin\Documents\cBDEJYGZmYExTQqBHzg6Yvpd.exe
    "C:\Users\Admin\Documents\cBDEJYGZmYExTQqBHzg6Yvpd.exe"
    3⤵
    PID:9100
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\cBDEJYGZmYExTQqBHzg6Yvpd.exe"
      4⤵
      PID:14592
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:9168
- - C:\Users\Admin\Documents\R9v67fxXjeKQ1Ebz6_aHPree.exe
    "C:\Users\Admin\Documents\R9v67fxXjeKQ1Ebz6_aHPree.exe"
    3⤵
    PID:1804
- - C:\Users\Admin\Documents\D_jX1V5cq1733S2odnuEOXlj.exe
    "C:\Users\Admin\Documents\D_jX1V5cq1733S2odnuEOXlj.exe"
    3⤵
    PID:4404
  - - C:\Users\Admin\Documents\D_jX1V5cq1733S2odnuEOXlj.exe
      "C:\Users\Admin\Documents\D_jX1V5cq1733S2odnuEOXlj.exe"
      4⤵
      PID:13680
- - C:\Users\Admin\Documents\5smuWisogW8_2Plhi90pkmMO.exe
    "C:\Users\Admin\Documents\5smuWisogW8_2Plhi90pkmMO.exe"
    3⤵
    PID:5884
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" VbsCrIPt: cLOSe( CREAteobjecT ("wScRiPT.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /C tYpe ""C:\Users\Admin\Documents\5smuWisogW8_2Plhi90pkmMO.exe"" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi & if """"== """" for %m in ( ""C:\Users\Admin\Documents\5smuWisogW8_2Plhi90pkmMO.exe"" ) do taskkill /iM ""%~NXm"" -F" ,0 , TRUE ))
      4⤵
      PID:1296
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C tYpe "C:\Users\Admin\Documents\5smuWisogW8_2Plhi90pkmMO.exe" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi& if ""== "" for %m in ("C:\Users\Admin\Documents\5smuWisogW8_2Plhi90pkmMO.exe" ) do taskkill /iM "%~NXm" -F
        5⤵
        
        PID:10820
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /iM "5smuWisogW8_2Plhi90pkmMO.exe" -F
        6⤵
        Kills process with taskkill
        
        PID:792
- - C:\Users\Admin\Documents\VCsHqK0yVi6fTR5dXyjBPffx.exe
    "C:\Users\Admin\Documents\VCsHqK0yVi6fTR5dXyjBPffx.exe"
    3⤵
    PID:572
- - C:\Users\Admin\Documents\S3PVSbyZphZEL7pnec8U8lld.exe
    "C:\Users\Admin\Documents\S3PVSbyZphZEL7pnec8U8lld.exe"
    3⤵
    PID:8344
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:10500
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:10092
- - C:\Users\Admin\Documents\JzdX0CVdU4NQLtGMMa9hzpIj.exe
    "C:\Users\Admin\Documents\JzdX0CVdU4NQLtGMMa9hzpIj.exe"
    3⤵
    PID:3940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 276
      4⤵
      Program crash
      PID:9652
- - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
    "C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe"
    3⤵
    PID:8396
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:11192
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:10596
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:9448
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:8588
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:12476
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:12712
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:5132
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:13072
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:13516
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:13460
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:12612
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:14068
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:14124
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:2168
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:14648
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:14752
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:12744
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:3180
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:9352
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:16020
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:16992
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:14696
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:8688
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:16956
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:15064
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:18840
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:22016
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:12120
  - - C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      C:\Users\Admin\Documents\YzHljhT0jhwdM1jymtT31Cbt.exe
      4⤵
      PID:16644
- - C:\Users\Admin\Documents\Pds43a7BeMkrMxF5U720tE5q.exe
    "C:\Users\Admin\Documents\Pds43a7BeMkrMxF5U720tE5q.exe"
    3⤵
    PID:2836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 280
      4⤵
      Program crash
      PID:11028
- - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
    "C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe"
    3⤵
    PID:6092
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:11216
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:6808
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:6372
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:9768
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:11808
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:11636
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:4928
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:12772
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:9508
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:12432
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:10272
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:13832
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:12340
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:7908
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:13500
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:15076
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:14136
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:9984
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:14708
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:7084
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:6568
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:10768
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:15348
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:8984
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:12232
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:16496
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:17040
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:14740
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:7932
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:8404
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:11676
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:14864
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:4048
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:15188
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:21992
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:21944
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:7864
  - - C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      C:\Users\Admin\Documents\akTAcwBcI9r025gKGFrPEy8h.exe
      4⤵
      PID:21004
- - C:\Users\Admin\Documents\G2fBJesiqqt_DtWt4aqjW0i6.exe
    "C:\Users\Admin\Documents\G2fBJesiqqt_DtWt4aqjW0i6.exe"
    3⤵
    PID:7976
- - C:\Users\Admin\Documents\iNTjPQJRTj1VA4j4h8LU8GJm.exe
    "C:\Users\Admin\Documents\iNTjPQJRTj1VA4j4h8LU8GJm.exe"
    3⤵
    PID:10020
  - - C:\Users\Admin\AppData\Roaming\8626032.exe
      "C:\Users\Admin\AppData\Roaming\8626032.exe"
      4⤵
      PID:9320
  - - C:\Users\Admin\AppData\Roaming\6085661.exe
      "C:\Users\Admin\AppData\Roaming\6085661.exe"
      4⤵
      PID:9700
  - - C:\Users\Admin\AppData\Roaming\2668004.exe
      "C:\Users\Admin\AppData\Roaming\2668004.exe"
      4⤵
      PID:12012
  - - C:\Users\Admin\AppData\Roaming\8959489.exe
      "C:\Users\Admin\AppData\Roaming\8959489.exe"
      4⤵
      PID:11476
  - - C:\Users\Admin\AppData\Roaming\4484944.exe
      "C:\Users\Admin\AppData\Roaming\4484944.exe"
      4⤵
      PID:12912
- - C:\Users\Admin\Documents\PZX9N4_n8KkTB9RzDxPb6DPP.exe
    "C:\Users\Admin\Documents\PZX9N4_n8KkTB9RzDxPb6DPP.exe"
    3⤵
    PID:9228

C:\Users\Admin\AppData\Local\Temp\FB1B.exe
C:\Users\Admin\AppData\Local\Temp\FB1B.exe
1⤵
PID:6172

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4176 -ip 4176
1⤵
PID:6828

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7808

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 5736 -ip 5736
1⤵
PID:7580

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7212

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5712 -ip 5712
1⤵
PID:6768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3600 -ip 3600
1⤵
PID:896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6872 -ip 6872
1⤵
PID:1292

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1216

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7536

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
PID:4284
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 448
  2⤵
  - Program crash
  PID:8224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 448
  2⤵
  - Program crash
  PID:7912

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:2900

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7600

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8032

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4284 -ip 4284
1⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 8480 -ip 8480
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1176 -ip 1176
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5328 -ip 5328
1⤵
PID:7356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3940 -ip 3940
1⤵
PID:9728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4360 -ip 4360
1⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\is-BTFJN.tmp\PZX9N4_n8KkTB9RzDxPb6DPP.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BTFJN.tmp\PZX9N4_n8KkTB9RzDxPb6DPP.tmp" /SL5="$1050C,138429,56832,C:\Users\Admin\Documents\PZX9N4_n8KkTB9RzDxPb6DPP.exe"
1⤵
PID:7516
- C:\Users\Admin\AppData\Local\Temp\is-7OKB5.tmp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\is-7OKB5.tmp\Setup.exe" /Verysilent
  2⤵
  PID:7220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2836 -ip 2836
1⤵
PID:6052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5456 -ip 5456
1⤵
PID:10736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4160 -ip 4160
1⤵
PID:9920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 12248 -ip 12248
1⤵
PID:12612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 11876 -ip 11876
1⤵
PID:13244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 6420 -ip 6420
1⤵
PID:12636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 12712 -ip 12712
1⤵
PID:10464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 14068 -ip 14068
1⤵
PID:15024

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
PID:11616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 11616 -s 452
  2⤵
  - Program crash
  PID:5064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 11616 -s 452
  2⤵
  - Program crash
  PID:15064

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:11988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 11864 -ip 11864
1⤵
PID:15180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 11616 -ip 11616
1⤵
PID:12844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 6288 -ip 6288
1⤵
PID:2068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery