redline | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	EDApNhLSP3FayGLSfFdkgWyH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	EDApNhLSP3FayGLSfFdkgWyH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	QEYomtWyXxCeE7_axl1t3De9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	QEYomtWyXxCeE7_axl1t3De9.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	Setup (16).exe

Loads dropped DLL 2 IoCs

pid	Process
4520	QqeFtxoIYtQflxAbz75Rhr8A.tmp
4520	QqeFtxoIYtQflxAbz75Rhr8A.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral16/files/0x000100000001ab6b-159.dat	themida
behavioral16/files/0x000100000001ab6b-186.dat	themida
behavioral16/files/0x000100000001ab69-184.dat	themida
behavioral16/memory/756-214-0x0000000000D40000-0x0000000000D41000-memory.dmp	themida
behavioral16/memory/1244-209-0x0000000000E70000-0x0000000000E71000-memory.dmp	themida
behavioral16/files/0x000100000001ab69-135.dat	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EDApNhLSP3FayGLSfFdkgWyH.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QEYomtWyXxCeE7_axl1t3De9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	ipinfo.io
29	ipinfo.io
114	ip-api.com
116	ipinfo.io
117	ipinfo.io
158	ipinfo.io
559	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1244	EDApNhLSP3FayGLSfFdkgWyH.exe
756	QEYomtWyXxCeE7_axl1t3De9.exe

Suspicious use of SetThreadContext 17 IoCs

description	pid	Process	procid_target
PID 2316 set thread context of 4368	2316	c_6lHuN8TFmobKAA3crjC4jC.exe	104
PID 1104 set thread context of 4384	1104	BNEVB0teCHoFaAIeXUjRvMod.exe	188
PID 3804 set thread context of 4376	3804	SeSfuRyUsUeO_m5e3mWpxdk8.exe	196
PID 1104 set thread context of 4664	1104	BNEVB0teCHoFaAIeXUjRvMod.exe	184
PID 3804 set thread context of 4704	3804	SeSfuRyUsUeO_m5e3mWpxdk8.exe	181
PID 1104 set thread context of 4984	1104	BNEVB0teCHoFaAIeXUjRvMod.exe	110
PID 2316 set thread context of 5040	2316	c_6lHuN8TFmobKAA3crjC4jC.exe	172
PID 1104 set thread context of 4300	1104	BNEVB0teCHoFaAIeXUjRvMod.exe	169
PID 1104 set thread context of 4932	1104	BNEVB0teCHoFaAIeXUjRvMod.exe	151
PID 2316 set thread context of 5116	2316	c_6lHuN8TFmobKAA3crjC4jC.exe	149
PID 3804 set thread context of 1484	3804	SeSfuRyUsUeO_m5e3mWpxdk8.exe	115
PID 2316 set thread context of 3556	2316	c_6lHuN8TFmobKAA3crjC4jC.exe	119
PID 3804 set thread context of 4764	3804	SeSfuRyUsUeO_m5e3mWpxdk8.exe	147
PID 1104 set thread context of 2392	1104	BNEVB0teCHoFaAIeXUjRvMod.exe	120
PID 3804 set thread context of 4592	3804	SeSfuRyUsUeO_m5e3mWpxdk8.exe	121
PID 2748 set thread context of 5276	2748	RCxW58XhltwQYjJhI2dj760h.exe	129
PID 2316 set thread context of 4328	2316	c_6lHuN8TFmobKAA3crjC4jC.exe	122

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	h4A4N8imjXdPgIqTrQzBknKe.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	h4A4N8imjXdPgIqTrQzBknKe.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	7g3xugEI7mMGlmMdSBMz3_SJ.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	7g3xugEI7mMGlmMdSBMz3_SJ.exe
File created	C:\Program Files\Mozilla Firefox\DotNetZip-1zsh31zf.tmp	qzi65led30zKbXdQb5iVAsmo.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst001.exe	h4A4N8imjXdPgIqTrQzBknKe.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	h4A4N8imjXdPgIqTrQzBknKe.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	h4A4N8imjXdPgIqTrQzBknKe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 40 IoCs

pid	pid_target	Process	procid_target
4888	4932	WerFault.exe
2112	3556	WerFault.exe	119
6124	3856	WerFault.exe	101
5484	6092	WerFault.exe	134
5660	5340	WerFault.exe	153
5492	2352	WerFault.exe	80
5720	3856	WerFault.exe	101
5032	4704	WerFault.exe
4884	4368	WerFault.exe	104
5812	3856	WerFault.exe	101
5924	5776	WerFault.exe	164
5424	2352	WerFault.exe	80
5156	3856	WerFault.exe	101
3148	2352	WerFault.exe	80
4144	1256	WerFault.exe	189
6344	2352	WerFault.exe	80
7680	3856	WerFault.exe	101
7828	2352	WerFault.exe	80
7504	8060	WerFault.exe	254
8172	2352	WerFault.exe	80
8576	7960	WerFault.exe	268
8512	3856	WerFault.exe	101
9148	8584	WerFault.exe	283
10140	4492	WerFault.exe	165
9636	1108	WerFault.exe	346
3632	2352	WerFault.exe	80
1924	2352	WerFault.exe	80
10832	10472	WerFault.exe	371
11416	12284	WerFault.exe	406
11984	5360	WerFault.exe	192
3692	3856	WerFault.exe	101
15080	11352	WerFault.exe	499
16212	15744	WerFault.exe	514
12880	16192	WerFault.exe	519
15372	3856	WerFault.exe	101
16932	3856	WerFault.exe	101
18348	2352	WerFault.exe	80
10668	17440	WerFault.exe	573
19116	18752	WerFault.exe	609
17164	8324	WerFault.exe	273

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RCxW58XhltwQYjJhI2dj760h.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RCxW58XhltwQYjJhI2dj760h.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RCxW58XhltwQYjJhI2dj760h.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
3944	schtasks.exe
1480	schtasks.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
9312	taskkill.exe
16076	taskkill.exe
19684	taskkill.exe
19892	taskkill.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	156	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	167	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	560	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3728	Setup (16).exe
3728	Setup (16).exe
3956	qzi65led30zKbXdQb5iVAsmo.exe
3956	qzi65led30zKbXdQb5iVAsmo.exe
5276	RCxW58XhltwQYjJhI2dj760h.exe
5276	RCxW58XhltwQYjJhI2dj760h.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4068	poTZMrFN3ywsj1jMEu4un4hV.exe
Token: SeDebugPrivilege	508	gxIqD1UtCnLScok0lcdZbXST.exe
Token: SeDebugPrivilege	3956	qzi65led30zKbXdQb5iVAsmo.exe
Token: SeDebugPrivilege	1244	EDApNhLSP3FayGLSfFdkgWyH.exe
Token: SeDebugPrivilege	4376	SeSfuRyUsUeO_m5e3mWpxdk8.exe
Token: SeDebugPrivilege	756	QEYomtWyXxCeE7_axl1t3De9.exe
Token: SeDebugPrivilege	4408	fx3P0OYYJM7og5xofnjoYW2c.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4520	QqeFtxoIYtQflxAbz75Rhr8A.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 2748	3728	Setup (16).exe	84
PID 3728 wrote to memory of 2748	3728	Setup (16).exe	84
PID 3728 wrote to memory of 2748	3728	Setup (16).exe	84
PID 3728 wrote to memory of 4068	3728	Setup (16).exe	83
PID 3728 wrote to memory of 4068	3728	Setup (16).exe	83
PID 3728 wrote to memory of 2316	3728	Setup (16).exe	82
PID 3728 wrote to memory of 2316	3728	Setup (16).exe	82
PID 3728 wrote to memory of 2316	3728	Setup (16).exe	82
PID 3728 wrote to memory of 3488	3728	Setup (16).exe	81
PID 3728 wrote to memory of 3488	3728	Setup (16).exe	81
PID 3728 wrote to memory of 3488	3728	Setup (16).exe	81
PID 3728 wrote to memory of 2352	3728	Setup (16).exe	80
PID 3728 wrote to memory of 2352	3728	Setup (16).exe	80
PID 3728 wrote to memory of 2352	3728	Setup (16).exe	80
PID 3728 wrote to memory of 644	3728	Setup (16).exe	79
PID 3728 wrote to memory of 644	3728	Setup (16).exe	79
PID 3728 wrote to memory of 644	3728	Setup (16).exe	79
PID 3728 wrote to memory of 1244	3728	Setup (16).exe	78
PID 3728 wrote to memory of 1244	3728	Setup (16).exe	78
PID 3728 wrote to memory of 1244	3728	Setup (16).exe	78
PID 3728 wrote to memory of 1104	3728	Setup (16).exe	102
PID 3728 wrote to memory of 1104	3728	Setup (16).exe	102
PID 3728 wrote to memory of 1104	3728	Setup (16).exe	102
PID 3728 wrote to memory of 1768	3728	Setup (16).exe	99
PID 3728 wrote to memory of 1768	3728	Setup (16).exe	99
PID 3728 wrote to memory of 1768	3728	Setup (16).exe	99
PID 3728 wrote to memory of 3956	3728	Setup (16).exe	100
PID 3728 wrote to memory of 3956	3728	Setup (16).exe	100
PID 3728 wrote to memory of 3956	3728	Setup (16).exe	100
PID 3728 wrote to memory of 3856	3728	Setup (16).exe	101
PID 3728 wrote to memory of 3856	3728	Setup (16).exe	101
PID 3728 wrote to memory of 3856	3728	Setup (16).exe	101
PID 3728 wrote to memory of 2208	3728	Setup (16).exe	98
PID 3728 wrote to memory of 2208	3728	Setup (16).exe	98
PID 3728 wrote to memory of 2208	3728	Setup (16).exe	98
PID 3728 wrote to memory of 2448	3728	Setup (16).exe	96
PID 3728 wrote to memory of 2448	3728	Setup (16).exe	96
PID 3728 wrote to memory of 2504	3728	Setup (16).exe	97
PID 3728 wrote to memory of 2504	3728	Setup (16).exe	97
PID 3728 wrote to memory of 2504	3728	Setup (16).exe	97
PID 3728 wrote to memory of 748	3728	Setup (16).exe	90
PID 3728 wrote to memory of 748	3728	Setup (16).exe	90
PID 3728 wrote to memory of 748	3728	Setup (16).exe	90
PID 3728 wrote to memory of 3016	3728	Setup (16).exe	89
PID 3728 wrote to memory of 3016	3728	Setup (16).exe	89
PID 3728 wrote to memory of 3016	3728	Setup (16).exe	89
PID 3728 wrote to memory of 756	3728	Setup (16).exe	91
PID 3728 wrote to memory of 756	3728	Setup (16).exe	91
PID 3728 wrote to memory of 756	3728	Setup (16).exe	91
PID 3728 wrote to memory of 508	3728	Setup (16).exe	88
PID 3728 wrote to memory of 508	3728	Setup (16).exe	88
PID 3728 wrote to memory of 3804	3728	Setup (16).exe	87
PID 3728 wrote to memory of 3804	3728	Setup (16).exe	87
PID 3728 wrote to memory of 3804	3728	Setup (16).exe	87
PID 3728 wrote to memory of 520	3728	Setup (16).exe	86
PID 3728 wrote to memory of 520	3728	Setup (16).exe	86
PID 3728 wrote to memory of 520	3728	Setup (16).exe	86
PID 3728 wrote to memory of 3700	3728	Setup (16).exe	85
PID 3728 wrote to memory of 3700	3728	Setup (16).exe	85
PID 3728 wrote to memory of 3700	3728	Setup (16).exe	85
PID 2316 wrote to memory of 4368	2316	c_6lHuN8TFmobKAA3crjC4jC.exe	104
PID 2316 wrote to memory of 4368	2316	c_6lHuN8TFmobKAA3crjC4jC.exe	104
PID 2316 wrote to memory of 4368	2316	c_6lHuN8TFmobKAA3crjC4jC.exe	104
PID 3804 wrote to memory of 4376	3804	SeSfuRyUsUeO_m5e3mWpxdk8.exe	196

C:\Users\Admin\AppData\Local\Temp\Setup (16).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (16).exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Users\Admin\Documents\EDApNhLSP3FayGLSfFdkgWyH.exe
  "C:\Users\Admin\Documents\EDApNhLSP3FayGLSfFdkgWyH.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Users\Admin\Documents\zc_yW3X_eqHs1F4e125_ShDU.exe
  "C:\Users\Admin\Documents\zc_yW3X_eqHs1F4e125_ShDU.exe"
  2⤵
  - Executes dropped EXE
  PID:644
- - C:\Users\Admin\Documents\zc_yW3X_eqHs1F4e125_ShDU.exe
    "C:\Users\Admin\Documents\zc_yW3X_eqHs1F4e125_ShDU.exe" -u
    3⤵
    - Executes dropped EXE
    PID:5572
- C:\Users\Admin\Documents\se0sBsiL0KgyEG4DTF_bTLp9.exe
  "C:\Users\Admin\Documents\se0sBsiL0KgyEG4DTF_bTLp9.exe"
  2⤵
  - Executes dropped EXE
  PID:2352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 384
    3⤵
    - Program crash
    PID:5492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 420
    3⤵
    - Program crash
    PID:5424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 364
    3⤵
    - Program crash
    PID:3148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 588
    3⤵
    - Program crash
    PID:6344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 636
    3⤵
    - Program crash
    PID:7828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 608
    3⤵
    - Program crash
    PID:8172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 692
    3⤵
    - Program crash
    PID:3632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 700
    3⤵
    - Program crash
    PID:1924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 792
    3⤵
    - Program crash
    PID:18348
- C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
  "C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe"
  2⤵
  - Executes dropped EXE
  PID:3488
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4408
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    - Executes dropped EXE
    PID:4588
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    - Executes dropped EXE
    PID:4856
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    - Executes dropped EXE
    PID:4900
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    - Executes dropped EXE
    PID:212
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:6092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 24
      4⤵
      Program crash
      PID:5484
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:5776
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:5592
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    - Executes dropped EXE
    PID:5256
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    - Executes dropped EXE
    PID:180
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    - Executes dropped EXE
    PID:3596
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    - Executes dropped EXE
    PID:5140
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:2296
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:2704
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    - Executes dropped EXE
    PID:4400
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    - Executes dropped EXE
    PID:5096
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:3284
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:5484
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:2612
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:5996
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:4144
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:6468
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:6788
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:7032
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:6436
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:5644
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:4360
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:6512
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:5844
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:7296
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:7740
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:8060
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8060 -s 24
      4⤵
      Program crash
      PID:7504
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:7448
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:7884
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:7616
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:2088
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:8620
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:8984
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:8200
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:5948
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:5420
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:8836
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:7156
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:2388
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:5732
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:6564
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:2920
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:9424
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:9768
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:10028
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:5464
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:9908
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:9408
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:7888
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:9608
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:4920
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:9072
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:10512
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:10792
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:11212
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:10460
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:10588
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:10696
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:11372
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:11752
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:11976
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:8272
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:11576
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:1836
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:9544
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:4688
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:8940
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:12576
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:12956
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:13288
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:12892
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:3176
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:12344
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:13620
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:13972
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:14240
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:10540
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:14036
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:14064
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:14372
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:14836
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:15268
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:14824
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:12840
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:14604
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:14968
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:15612
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:16000
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:15596
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:16316
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:12156
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:13128
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:16576
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:17056
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:10520
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:13128
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:8648
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:15964
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:17848
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:18228
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:17448
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:18240
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:18828
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:19268
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:18792
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:17388
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:14740
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:11136
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:19220
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:19284
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:17464
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:19712
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:20128
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:20464
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:15848
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:20064
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:16740
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:16480
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:19308
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:20932
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:21324
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:2224
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:21476
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:18328
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:4436
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:19480
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:21796
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:22188
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:21568
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:22360
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:19504
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:16704
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:14876
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:22772
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:23124
- - C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    C:\Users\Admin\Documents\fx3P0OYYJM7og5xofnjoYW2c.exe
    3⤵
    PID:17212
- C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
  "C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    - Executes dropped EXE
    PID:4368
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 24
      4⤵
      Program crash
      PID:4884
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    - Executes dropped EXE
    PID:4700
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    - Executes dropped EXE
    PID:3556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 24
      4⤵
      Executes dropped EXE
      Program crash
      PID:2112
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    - Executes dropped EXE
    PID:4328
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:5860
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:5448
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    - Executes dropped EXE
    PID:5116
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:5340
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 24
      4⤵
      Program crash
      PID:5660
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:4324
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:4848
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    - Executes dropped EXE
    PID:5040
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:424
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    - Executes dropped EXE
    PID:4648
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:3312
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:5112
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:4672
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:6316
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:6684
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:6956
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:6240
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:6732
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:3744
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:2288
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:6348
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:7492
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:7944
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:7444
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:8120
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:7960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7960 -s 24
      4⤵
      Program crash
      PID:8576
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:8584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8584 -s 24
      4⤵
      Program crash
      PID:9148
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:9140
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:8800
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:4248
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:8876
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:7404
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:7684
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:4420
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:5876
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:9536
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:9960
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:10228
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:9732
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:10104
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:1968
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:8380
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:9844
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:9304
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:10572
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:10940
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:9072
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:3316
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:2228
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:9356
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:11592
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:11932
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:12284
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 12284 -s 24
      4⤵
      Program crash
      PID:11416
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:11516
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:12236
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:12188
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:9988
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:11920
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:12740
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:13188
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:12620
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:11640
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:12920
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:13688
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:14088
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:12324
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:13584
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:14204
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:13348
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:14660
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:15168
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:14496
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:11344
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:14800
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:9664
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:15744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 15744 -s 24
      4⤵
      Program crash
      PID:16212
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:16192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 16192 -s 24
      4⤵
      Program crash
      PID:12880
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:5300
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:13720
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:16048
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:16420
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:17000
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:16556
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:15300
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:13812
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:17692
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:18192
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:14460
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:18424
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:19108
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:14212
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:18876
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:18752
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 18752 -s 24
      4⤵
      Program crash
      PID:19116
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:9628
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:14740
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:18968
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:19508
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:19964
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:20440
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:19896
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:19584
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:19924
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:17584
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:20788
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:21232
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:20956
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:15148
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:21052
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:20540
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:21964
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:22516
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:15592
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:6132
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:20380
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:22560
- - C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    C:\Users\Admin\Documents\c_6lHuN8TFmobKAA3crjC4jC.exe
    3⤵
    PID:23004
- C:\Users\Admin\Documents\poTZMrFN3ywsj1jMEu4un4hV.exe
  "C:\Users\Admin\Documents\poTZMrFN3ywsj1jMEu4un4hV.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4068
- C:\Users\Admin\Documents\RCxW58XhltwQYjJhI2dj760h.exe
  "C:\Users\Admin\Documents\RCxW58XhltwQYjJhI2dj760h.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2748
- - C:\Users\Admin\Documents\RCxW58XhltwQYjJhI2dj760h.exe
    "C:\Users\Admin\Documents\RCxW58XhltwQYjJhI2dj760h.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:5276
- C:\Users\Admin\Documents\xz0FEmFrtbrXDUHCwrebtpkP.exe
  "C:\Users\Admin\Documents\xz0FEmFrtbrXDUHCwrebtpkP.exe"
  2⤵
  - Executes dropped EXE
  PID:3700
- - C:\Users\Admin\Documents\xz0FEmFrtbrXDUHCwrebtpkP.exe
    "C:\Users\Admin\Documents\xz0FEmFrtbrXDUHCwrebtpkP.exe"
    3⤵
    PID:5360
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 1480
      4⤵
      Program crash
      PID:11984
- C:\Users\Admin\Documents\h4A4N8imjXdPgIqTrQzBknKe.exe
  "C:\Users\Admin\Documents\h4A4N8imjXdPgIqTrQzBknKe.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:520
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    - Executes dropped EXE
    PID:5172
- - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
    3⤵
    - Executes dropped EXE
    PID:4744
- - C:\Program Files (x86)\Company\NewProduct\inst001.exe
    "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
    3⤵
    - Executes dropped EXE
    PID:3492
- C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
  "C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    - Executes dropped EXE
    PID:4736
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    - Executes dropped EXE
    PID:1484
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    - Executes dropped EXE
    PID:4592
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:6136
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:5724
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:5404
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    - Executes dropped EXE
    PID:4764
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:4272
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:5776
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5776 -s 24
      4⤵
      Program crash
      PID:5924
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    - Executes dropped EXE
    PID:4276
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    - Executes dropped EXE
    PID:5004
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:4448
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    - Executes dropped EXE
    PID:4704
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:1256
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 24
      4⤵
      Program crash
      PID:4144
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4376
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:5424
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:1116
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:6168
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:6516
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:6824
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:7116
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:6408
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:2548
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:6972
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:5192
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:7208
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:7632
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:8072
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:7516
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:8140
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:5564
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:8468
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:8940
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:8880
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:5244
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:8212
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:7096
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:8796
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:8788
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:744
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:5464
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:9388
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:9744
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:10012
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:9468
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:9936
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:2096
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:10088
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:8520
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:9104
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:10336
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:10636
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:11080
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:5080
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:10356
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:356
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:11356
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:11736
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:11992
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:8
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:11164
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:9992
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:1344
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:10432
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:12328
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:12804
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:13160
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:9628
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:13248
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:7160
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:13580
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:13948
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:14216
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:12764
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:13972
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:13352
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:14408
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:14912
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:15356
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:15120
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:11352
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 11352 -s 24
      4⤵
      Program crash
      PID:15080
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:15328
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:12356
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:15780
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:16288
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:15860
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:10696
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:15772
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:16456
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:17032
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:16620
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:16424
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:15552
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:17576
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:18028
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:17440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 17440 -s 24
      4⤵
      Program crash
      PID:10668
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:18076
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:18756
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:19288
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:420
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:19112
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:1708
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:10468
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:5836
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:16656
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:19480
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:19868
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:20304
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:18972
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:6388
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:19764
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:17340
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:20604
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:21096
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:20652
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:21216
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:18824
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:19664
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:19144
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:21852
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:22332
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:21692
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:22416
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:21924
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:19908
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:22540
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:22956
- - C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    C:\Users\Admin\Documents\SeSfuRyUsUeO_m5e3mWpxdk8.exe
    3⤵
    PID:23424
- C:\Users\Admin\Documents\gxIqD1UtCnLScok0lcdZbXST.exe
  "C:\Users\Admin\Documents\gxIqD1UtCnLScok0lcdZbXST.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:508
- - C:\Users\Admin\AppData\Roaming\1949367.exe
    "C:\Users\Admin\AppData\Roaming\1949367.exe"
    3⤵
    PID:8204
- - C:\Users\Admin\AppData\Roaming\5351880.exe
    "C:\Users\Admin\AppData\Roaming\5351880.exe"
    3⤵
    PID:8324
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8324 -s 1584
      4⤵
      Program crash
      PID:17164
- - C:\Users\Admin\AppData\Roaming\2062730.exe
    "C:\Users\Admin\AppData\Roaming\2062730.exe"
    3⤵
    PID:8296
- - C:\Users\Admin\AppData\Roaming\6407700.exe
    "C:\Users\Admin\AppData\Roaming\6407700.exe"
    3⤵
    PID:7336
  - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
      4⤵
      PID:14444
- - C:\Users\Admin\AppData\Roaming\8261559.exe
    "C:\Users\Admin\AppData\Roaming\8261559.exe"
    3⤵
    PID:7676
- C:\Users\Admin\Documents\SvRJsKdqVPq_rpuOd7KF6Sat.exe
  "C:\Users\Admin\Documents\SvRJsKdqVPq_rpuOd7KF6Sat.exe"
  2⤵
  - Executes dropped EXE
  PID:3016
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VbsCrIPt: cLOSe( CREAteobjecT ("wScRiPT.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /C tYpe ""C:\Users\Admin\Documents\SvRJsKdqVPq_rpuOd7KF6Sat.exe"" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi & if """"== """" for %m in ( ""C:\Users\Admin\Documents\SvRJsKdqVPq_rpuOd7KF6Sat.exe"" ) do taskkill /iM ""%~NXm"" -F" ,0 , TRUE ))
    3⤵
    PID:4468
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C tYpe "C:\Users\Admin\Documents\SvRJsKdqVPq_rpuOd7KF6Sat.exe" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi& if ""== "" for %m in ("C:\Users\Admin\Documents\SvRJsKdqVPq_rpuOd7KF6Sat.exe" ) do taskkill /iM "%~NXm" -F
      4⤵
      PID:7596
    - - C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE
        
        IQ0v_FE_.ExE -poRsuYEMryiLi
        5⤵
        
        PID:8668
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCrIPt: cLOSe( CREAteobjecT ("wScRiPT.ShElL" ).RUN ( "C:\Windows\system32\cmd.exe /C tYpe ""C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE"" > IQ0V_Fe_.eXE && StaRt IQ0v_FE_.ExE -poRsuYEMryiLi & if ""-poRsuYEMryiLi""== """" for %m in ( ""C:\Users\Admin\AppData\Local\Temp\IQ0V_Fe_.eXE"" ) do taskkill /iM ""%~NXm"" -F" ,0 , TRUE ))
        6⤵
        
        PID:12512
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /iM "SvRJsKdqVPq_rpuOd7KF6Sat.exe" -F
        5⤵
        Kills process with taskkill
        
        PID:9312
- C:\Users\Admin\Documents\zxHs48cZqpnF979sIAwGMaFU.exe
  "C:\Users\Admin\Documents\zxHs48cZqpnF979sIAwGMaFU.exe"
  2⤵
  - Executes dropped EXE
  PID:748
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{7sPg-6KpgR-B0Vu-LFcpK}\19654477408.exe"
    3⤵
    PID:16660
  - - C:\Users\Admin\AppData\Local\Temp\{7sPg-6KpgR-B0Vu-LFcpK}\19654477408.exe
      "C:\Users\Admin\AppData\Local\Temp\{7sPg-6KpgR-B0Vu-LFcpK}\19654477408.exe"
      4⤵
      PID:16548
- C:\Users\Admin\Documents\QEYomtWyXxCeE7_axl1t3De9.exe
  "C:\Users\Admin\Documents\QEYomtWyXxCeE7_axl1t3De9.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\Users\Admin\Documents\QXmMvw2eX2JG6N95qQd9uATv.exe
  "C:\Users\Admin\Documents\QXmMvw2eX2JG6N95qQd9uATv.exe"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Users\Admin\Documents\J6FFN9XBDmTjgW_CQq_CHx3K.exe
  "C:\Users\Admin\Documents\J6FFN9XBDmTjgW_CQq_CHx3K.exe"
  2⤵
  - Executes dropped EXE
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\KBAvfsr.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KBAvfsr.exe"
    3⤵
    PID:4492
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 272
      4⤵
      Program crash
      PID:10140
- C:\Users\Admin\Documents\7g3xugEI7mMGlmMdSBMz3_SJ.exe
  "C:\Users\Admin\Documents\7g3xugEI7mMGlmMdSBMz3_SJ.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2208
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3944
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1480
- C:\Users\Admin\Documents\vR56gE4RzVn6ACCFNgrR_UPR.exe
  "C:\Users\Admin\Documents\vR56gE4RzVn6ACCFNgrR_UPR.exe"
  2⤵
  - Executes dropped EXE
  PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im vR56gE4RzVn6ACCFNgrR_UPR.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\vR56gE4RzVn6ACCFNgrR_UPR.exe" & del C:\ProgramData\*.dll & exit
    3⤵
    PID:15492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im vR56gE4RzVn6ACCFNgrR_UPR.exe /f
      4⤵
      Kills process with taskkill
      PID:16076
- C:\Users\Admin\Documents\qzi65led30zKbXdQb5iVAsmo.exe
  "C:\Users\Admin\Documents\qzi65led30zKbXdQb5iVAsmo.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    PID:7684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    3⤵
    PID:13732
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ffb8fe44f50,0x7ffb8fe44f60,0x7ffb8fe44f70
      4⤵
      PID:11940
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C taskkill /F /PID 3956 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\qzi65led30zKbXdQb5iVAsmo.exe"
    3⤵
    PID:15908
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /PID 3956
      4⤵
      Kills process with taskkill
      PID:19892
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C taskkill /F /PID 3956 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\qzi65led30zKbXdQb5iVAsmo.exe"
    3⤵
    PID:7672
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /PID 3956
      4⤵
      Kills process with taskkill
      PID:19684
- C:\Users\Admin\Documents\BOilZYz26Ib0ko3XG70ofJmo.exe
  "C:\Users\Admin\Documents\BOilZYz26Ib0ko3XG70ofJmo.exe"
  2⤵
  - Executes dropped EXE
  PID:3856
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 660
    3⤵
    - Program crash
    PID:6124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 648
    3⤵
    - Program crash
    PID:5720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 680
    3⤵
    - Program crash
    PID:5812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 656
    3⤵
    - Program crash
    PID:5156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 892
    3⤵
    - Program crash
    PID:7680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1056
    3⤵
    - Program crash
    PID:8512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 716
    3⤵
    - Program crash
    PID:3692
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1200
    3⤵
    - Program crash
    PID:15372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1316
    3⤵
    - Program crash
    PID:16932
- C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
  "C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1104
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    - Executes dropped EXE
    PID:4984
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:2112
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    - Executes dropped EXE
    PID:2392
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:5140
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:5840
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:6108
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:5516
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    - Executes dropped EXE
    PID:4932
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:5584
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:6088
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    - Executes dropped EXE
    PID:4300
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:3732
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    - Executes dropped EXE
    PID:4664
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    - Executes dropped EXE
    PID:4384
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:5364
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:5692
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:4720
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:4756
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:6440
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:6804
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:7052
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:6452
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:6944
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:6724
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:2920
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:256
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:7464
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:7908
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:7288
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:7756
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:7276
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:7220
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:8676
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:9108
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:8496
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:9036
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:8512
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:8844
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:6324
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:5036
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:4924
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:9288
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:9632
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:9944
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:10176
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:9572
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:1108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 24
      4⤵
      Program crash
      PID:9636
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:1864
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:7788
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:4776
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:1596
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:10472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 10472 -s 24
      4⤵
      Program crash
      PID:10832
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:10812
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:4892
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:10752
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:10628
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:11240
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:11464
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:11848
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:12172
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:11368
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:6560
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:7048
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:7840
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:908
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:12384
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:12896
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:13228
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:12936
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:2096
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:10280
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:13668
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:14032
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:14284
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:13840
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:13712
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:13996
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:14528
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:15040
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:1744
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:15288
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:15200
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:8280
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:15532
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:15924
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:15516
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:16188
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:13224
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:16180
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:16632
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:17144
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:16776
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:16908
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:7380
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:17636
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:18044
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:16696
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:17944
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:18932
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:19384
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:19020
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:19404
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:7704
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:12412
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:16040
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:3252
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:19688
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:20148
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:16528
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:19760
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:19636
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:17404
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:11912
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:20980
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:21468
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:18948
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:20500
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:20576
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:19416
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:21608
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:21996
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:22460
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:21804
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:22376
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:16892
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:8196
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:22576
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:23064
- - C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    C:\Users\Admin\Documents\BNEVB0teCHoFaAIeXUjRvMod.exe
    3⤵
    PID:23520
- C:\Users\Admin\Documents\QqeFtxoIYtQflxAbz75Rhr8A.exe
  "C:\Users\Admin\Documents\QqeFtxoIYtQflxAbz75Rhr8A.exe"
  2⤵
  - Executes dropped EXE
  PID:4424
- - C:\Users\Admin\AppData\Local\Temp\is-GO6J0.tmp\QqeFtxoIYtQflxAbz75Rhr8A.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-GO6J0.tmp\QqeFtxoIYtQflxAbz75Rhr8A.tmp" /SL5="$202AE,138429,56832,C:\Users\Admin\Documents\QqeFtxoIYtQflxAbz75Rhr8A.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:4520
  - - C:\Users\Admin\AppData\Local\Temp\is-R7OU8.tmp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-R7OU8.tmp\Setup.exe" /Verysilent
      4⤵
      PID:8868
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe"
        5⤵
        
        PID:8184
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
        5⤵
        
        PID:13272
      - C:\Users\Admin\AppData\Local\Temp\is-4KFG7.tmp\stats.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4KFG7.tmp\stats.tmp" /SL5="$10888,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
        6⤵
        
        PID:18860
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\note866.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\note866.exe"
        5⤵
        
        PID:15340
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\LivelyScreenRecS3.0.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\LivelyScreenRecS3.0.exe"
        5⤵
        
        PID:14592
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe"
        5⤵
        
        PID:17552
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\PBrowFile15.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\PBrowFile15.exe"
        5⤵
        
        PID:17472
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        5⤵
        
        PID:5544
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17488
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19320
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:9252
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19380
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:18940
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:18316
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20056
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:676
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:13456
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20408
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15092
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15188
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20888
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21416
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19008
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:9020
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19360
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17280
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19372
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21932
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22476
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21372
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22392
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21172
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17040
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22660
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 24
1⤵
- Program crash
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 24
1⤵
- Program crash
PID:5032

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:8268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery